SEC-859 | Resolved Critical dependabot alerts #29 and #31 #18
Conversation
dhanyavg-atlan
changed the title
| <htrace.version>4.1.5</htrace.version> | ||
| <bigtable.version>1.24.0</bigtable.version> | ||
| <!-- align with org.apache.spark:spark-core_2.12 --> | ||
| <spark.version>3.3.3</spark.version> |
There was a problem hiding this comment.
should you not bump the version of atlan-janusgraph @dhanyavg-atlan cc: @sumandas0
There was a problem hiding this comment.
Yes,
I think we should do that.
I think changing 1.1.0-SNAPSHOT to 1.1.1-SNAPSHOT or something similar.
But, in atlas-metastore we are using 0.6.03 version of janusgraph.
So, it will be unaffected if I make changes here right?
@sumandas0 @nikhilbonte21 Please give suggestions here what to do?
There was a problem hiding this comment.
@dhanyavg-atlan , I think we do not need spark dependency in metastore, can we remove this?
There was a problem hiding this comment.
My bad, please ignore last comment.
Dhanya is correct, we do not use master branch, no harm in pushing any change in master branch
There was a problem hiding this comment.
Yes, makes sense @nikhilbonte21
But, if someone using 1.1.0-SNAPSHOT anywhere, if we don't update this,
there is a possibality that these new updates won't be in the version mentioned.
So, I am thinking of changing that to 1.1.1-SNAPSHOT or you can give a better name for the new version.
If I am changing, I should also make sure that it is updated in all the pom.xml files.
So, please suggest accordingly on what to do.
Summary
-> Upgraded spark-core_2.12 to 3.3.3
-> Added one property and one override
-> This patches CVE-2023-39121 and https://github.com/atlanhq/atlan-janusgraph/security/dependabot/31
-> Upgraded calcite to 1.32.0
-> Added one property and one override
-> This resolves https://github.com/atlanhq/atlan-janusgraph/security/dependabot/29
-> Verified with mvn dependency:tree and mvn verify.
-> Jira -> https://atlanhq.atlassian.net/browse/SEC-859