tballison commented on code in PR #1444:
URL:
https://github.com/apache/incubator-stormcrawler/pull/1444#discussion_r1892543185
##########
core/pom.xml:
##########
@@ -116,22 +116,6 @@ under the License.
<groupId>org.apache.storm</groupId>
<artifactId>storm-client</artifactId>
</dependency>
- <!-- dependency overrides for vulnerable log4j versions -->
Review Comment:
Some of these dependencies become "provided" instead of "compile". Are we ok
with that? If yes, great, let's go forward. If not, we can at least inherit the
version from storm?
For example, in stormcrawler-opensearch, these disappear:
+- org.apache.logging.log4j:log4j-core:jar:2.24.3:compile
+- org.apache.logging.log4j:log4j-api:jar:2.24.3:compile
+- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.24.3:compile
and they're now picked up via storm-client, but two deps are now "provided":
[INFO] +- org.apache.storm:storm-client:jar:2.7.1:provided
[INFO] | +- org.apache.logging.log4j:log4j-api:jar:2.24.1:compile
[INFO] | +- org.apache.logging.log4j:log4j-core:jar:2.24.1:provided
[INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.24.1:provided
For example, `org.apache.logging.log4j:log4j-core:jar:2.24.3:compile` shows
up 11 times currently, but it only shows up as provided in the patched
dependency tree.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@stormcrawler.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
