Making jackson-dataformat-yaml an optional/provided dependency#25350
Making jackson-dataformat-yaml an optional/provided dependency#25350pabloem wants to merge 1 commit intoapache:masterfrom
Conversation
|
r: @chamikaramj |
|
Stopping reviewer notifications for this pull request: review requested by someone other than the bot, ceding control |
|
LGTM. |
|
- LGTM This actually will break a documented feature - https://beam.apache.org/documentation/programming-guide/#1311-creating-cross-language-java-transforms Also, seems like the vulnerability related to this library is a false positive for our use-case. This might also result in runtime issues for multi-lang users in general since these classes might get loaded during execution (depends on the how the code is structured). |
|
How do we parse YAML elsewhere in the code base or in other project ? At least, we should make sure that users that do not use a allowlist do not run into class loading errors due to the dependency not being available in the shaded expansion service jars. Also, if we exclude the dependency, we should update the documentation to mention that the dependency should be explicitly included when using an allowlist. |
|
Closing as the underlying CVE is not exploitable for Beam. See: #25449 |
Please add a meaningful description for your change here
Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:
addresses #123), if applicable. This will automatically add a link to the pull request in the issue. If you would like the issue to automatically close on merging the pull request, commentfixes #<ISSUE NUMBER>instead.CHANGES.mdwith noteworthy changes.See the Contributor Guide for more tips on how to make review process smoother.
To check the build health, please visit https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md
GitHub Actions Tests Status (on master branch)
See CI.md for more information about GitHub Actions CI.