[Fix-4143][jar upgrade]upgrade quartz version to 2.3.0#4150
[Fix-4143][jar upgrade]upgrade quartz version to 2.3.0#4150davidzollo merged 11 commits intoapache:devfrom
Conversation
| oshi-core 3.5.0: https://mvnrepository.com/artifact/com.github.oshi/oshi-core/3.5.0, EPL 1.0 | ||
| junit 4.12: https://mvnrepository.com/artifact/junit/junit/4.12, EPL 1.0 | ||
| h2-1.4.200 https://github.com/h2database/h2database/blob/master/LICENSE.txt, MPL 2.0 or EPL 1.0 | ||
| mchange-commons-java 0.2.11: https://mvnrepository.com/artifact/com.mchange/mchange-commons-java/0.2.11, EPL 1.0 |
There was a problem hiding this comment.
Hi,.I saw it's license[1] is LGPL or EPL,whether you can remove this jar?
1.https://github.com/swaldman/mchange-commons-java/blob/mchange-commons-java-0.2.11/LICENSE
| junit 4.12: https://mvnrepository.com/artifact/junit/junit/4.12, EPL 1.0 | ||
| h2-1.4.200 https://github.com/h2database/h2database/blob/master/LICENSE.txt, MPL 2.0 or EPL 1.0 | ||
| mchange-commons-java 0.2.11: https://mvnrepository.com/artifact/com.mchange/mchange-commons-java/0.2.11, EPL 1.0 | ||
| c3p0 0.9.5.2: https://mvnrepository.com/artifact/com.mchange/c3p0/0.9.5.2, EPL 1.0 |
There was a problem hiding this comment.
Hi,.I saw license[1] of c3p0 is LGPL or EPL,whether you can remove this jar?
[1]https://github.com/swaldman/c3p0/blob/c3p0-0.9.5.2/LICENSE
There was a problem hiding this comment.
hi, this is relatively difficult because Quartz relies on it. Type B licenses can also be introduced, but we need to be relatively cautious. What do you think?
There was a problem hiding this comment.
hi, this is relatively difficult because Quartz relies on it. Type B licenses can also be introduced, but we need to be relatively cautious. What do you think?
I think we don't use directly that can be removed , take c3po as an example, we don't use c3p0, we use Druid as database connection pool, so I think it could be removed, but I'm not sure, just try?
There was a problem hiding this comment.
Over the past couple of releases,I excluded c3p0 in the module service and api.Such as the following.
There was a problem hiding this comment.
@kevinsun2010 Sorry, I may have misled you, you can try as @lgcareer said.
There was a problem hiding this comment.
@kevinsun2010 Sorry, I may have misled you, you can try as @lgcareer said.
i see ,i will try.ths
There was a problem hiding this comment.
i try as @lgcareer said. but Compile-check fail. about +c3p0-0.9.5.2.jar
There was a problem hiding this comment.
I commit some code to this PR,now it’s OK
Codecov Report
@@ Coverage Diff @@
## dev #4150 +/- ##
============================================
- Coverage 41.37% 41.34% -0.04%
+ Complexity 3116 3112 -4
============================================
Files 467 467
Lines 22168 22168
Branches 2720 2720
============================================
- Hits 9173 9166 -7
- Misses 12113 12117 +4
- Partials 882 885 +3
Continue to review full report at Codecov.
|
not need to add HikariCP-java6
|
Kudos, SonarCloud Quality Gate passed!
|
What is the purpose of the pull request
4143
There is a vulnerability in Quartz Enterprise Job Scheduler 2.2.3 ,upgrade recommended
(For example: This pull request adds checkstyle plugin.)
Brief change log
Modify the corresponding jar version in the incubator-dolphinscheduler/pom.xml.
Modify the version of the corresponding jar in tools/dependencies/known-dependencies.txt.
Modify the relevant jar version in the dolphinscheduler-dist/release-docs/LICENSE file.