We don’t upgrade dependencies in minor C* releases, so 2.0 and 2.1 will have to stick to what’s already there.
Feel free to open a JIRA issue for C* 3.0 to deal with upgrading all the dependencies, though. Just don’t create a PR - we cannot accept them. Just leave a comment with a link to your GH branch with the changes in JIRA. Thanks. -- AY On March 13, 2015 at 15:26:47, Paul Brown (paulrbr...@gmail.com) wrote: Wow. It would be great if the Jackson dep could move up to 2.x. We'd even be willing to provide a PR for it. On Fri, Mar 13, 2015 at 12:22 PM, Joe Fasano <joe_fas...@symantec.com> wrote: > Hello All, > > I have been told by my team that some of the cassandra dependencies have > some vulnerabilities and > should be upgraded. Specifically, > Joda Time 1.6 should be upgraded to 2.7 > Jackson 1.9.2 should be upgraded to 1.9.13 > > Is there any schedule or process of getting Cassandra updates to include > updated dependencies? > > > Thanks, > joe > > > Joe Fasano > Sr. Development Manager > Symantec Corporation > > >
