[jira] [Commented] (CASSANDRA-20314) Upgrade Netty to 4.1.119.Final and netty-tcnative to 2.0.70.Final

Thu, 03 Apr 2025 14:47:49 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-20314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17940826#comment-17940826
 ] 

Stefan Miklosovic commented on CASSANDRA-20314:
-----------------------------------------------

We do pull it but we are not shipping it, we are deleting it here

https://github.com/apache/cassandra/blob/trunk/.build/build-resolver.xml#L254-L255

The reason why we do it like that is that when you declare 
netty-tcnative-boringssl-static in parent-pom-template.xml, under normal 
circumstances you might exclude some dependencies that artifact itself depends 
on, but netty-tcnative-boringssl-static is special in such a way that its 
platform-specific dependencies it contains share same group and artifact id, 
they only differ on "classifier". But if you tried to exclude such a dependency 
like this, it would fail to build it. IDEA actually marks "classifier" as 
illegal element. 

{code}
      <dependency>
        <groupId>io.netty</groupId>
        <artifactId>netty-tcnative-boringssl-static</artifactId>
        <version>2.0.70.Final</version>
        <exclusions>
          <exclusion>
              <groupId>io.netty</groupId>
              <artifactId>netty-tcnative-boringssl-static</artifactId>
              <classifier>windows-x86_64</classifier>
          </exclusion>
        </exclusions>
      </dependency>
{code}

So the next best thing is to just remove it manually so it is not among the 
jars we ship. 

> Upgrade Netty to 4.1.119.Final and  netty-tcnative to 2.0.70.Final
> ------------------------------------------------------------------
>
>                 Key: CASSANDRA-20314
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-20314
>             Project: Apache Cassandra
>          Issue Type: Bug
>          Components: Dependencies
>            Reporter: Dmitry Konstantinov
>            Assignee: Stefan Miklosovic
>            Priority: Normal
>             Fix For: 5.0.4, 5.1
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> Upgrade netty and netty-tcnative to get security fixes:
>  * [https://netty.io/news/2025/02/10/4-1-118-Final.html] 
>  * 
> [https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw|https://netty.io/news/2025/02/10/4-1-118-Final.html]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to