davidradl commented on code in PR #341:
URL: https://github.com/apache/flink-statefun/pull/341#discussion_r1345814020
##########
statefun-kafka-io/pom.xml:
##########
@@ -43,9 +43,7 @@ under the License.
<version>${kafka.version}</version>
<exclusions>
<!-- This collides with snappy-java brought from
-
org.apache.flink:flink-streaming-java_${scala.binary.version}
- org.xerial.snappy:snappy-java:1.1.4
- -->
+ org.apache.flink:flink-streaming-java -->
Review Comment:
It would be good to leave a comment here. As far as I can see Flink 1.16.2
has snappy-java 1.1.8.3 which is vulnerable - so you want to exclude it here.
But 1.17 Flink and above uses snappy-java 1.1.10.4. So this is a point in time
change, because of your dependancy on the back level Flink. I assume we would
want to move to a provided dependancy when we depend on a Flink 1.17 or above.
Have I understood this correctly?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@flink.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
