FrankChen021 commented on code in PR #19300:
URL: https://github.com/apache/druid/pull/19300#discussion_r3141459926
##########
pom.xml:
##########
@@ -112,7 +112,7 @@
<netty3.version>3.10.6.Final</netty3.version>
<netty4.version>4.2.12.Final</netty4.version>
<postgresql.version>42.7.2</postgresql.version>
- <protobuf.version>3.25.8</protobuf.version>
+ <protobuf.version>4.33.2</protobuf.version>
Review Comment:
[P1] Root protobuf upgrade reintroduces a repository-wide unsupported
dependency graph
This changes the shared `protobuf.version` for the whole repo to 4.33.2, but
the repository already documents that protobuf 4.x is not supported
project-wide. Because `protobuf-java` and `protobuf-java-util` inherit from the
root property, this upgrades every protobuf consumer at once without any
compatibility changes, so it broadens the grpc CVE fix into a repo-wide
dependency regression.
##########
extensions-core/google-extensions/pom.xml:
##########
@@ -51,6 +51,7 @@
<groupId>com.google.cloud</groupId>
<artifactId>google-cloud-storage</artifactId>
Review Comment:
[P1] Changing google-cloud-storage to provided can remove required runtime
jars
This scope change drops a direct runtime dependency from
`druid-google-extensions`, even though the extension instantiates GCS SDK types
such as `StorageOptions` and `BlobInfo`. The repository already compensates for
compile-only upstream declarations elsewhere, so making this dependency
provided is likely to leave the extension without the GCS client jars at
runtime.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
