commit | f740d0283c1410f7c4b9b9af743894dedf97fc64 | [log] [tgz] |
---|---|---|
author | Cheng Pan <chengpan@apache.org> | Thu Feb 29 17:52:27 2024 +0800 |
committer | Cheng Pan <chengpan@apache.org> | Thu Feb 29 17:52:27 2024 +0800 |
tree | af47077543e46b0dd32bd2539d2eb903ec22745b | |
parent | 14551fc3c36d4294f200862aecdc804201c27938 [diff] |
[KYUUBI-SHADED #39] Bump Thrift 0.16.0 ### _Why are the changes needed?_ The current Thrift 0.9.3-1 has the following CVEs. - CVE-2020-13949 - THRIFT-5237(fixed in 0.14.0) - https://github.com/apache/thrift/pull/2191 - CVE-2019-0205 - THRIFT-4053(fixed in 0.11.0) - https://github.com/apache/thrift/pull/1371 - CVE-2018-11798 - only affects NodeJS We choose to upgrade 0.16.0 because - has no CVEs reported yet - the latest Hive 4.0.0-beta1 uses Thrift 0.16.0 - Thrift 0.17.0 ~ 0.18.1 has issues on transitive deps - Thrift 0.18.0 is built on Java 11, which is not compatible with Java 8 - Thrift 0.19.0 restores support for Java 8, but upgrades Apache Http Client5, it involves additional deps Also, this PR overrides one class `org.apache.thrift.partial.Validate` to remove dependency of Apache Commons Lang3 ### _How was this patch tested?_ - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [ ] Add screenshots for manual tests if appropriate - [ ] [Run test](https://kyuubi.readthedocs.io/en/master/develop_tools/testing.html#running-tests) locally before make a pull request Closes #39 from pan3793/thrift-0.16. 2b7dd2b [Cheng Pan] Bump Thrift 0.16.0 Authored-by: Cheng Pan <chengpan@apache.org> Signed-off-by: Cheng Pan <chengpan@apache.org>
This project packages relocated third-party libraries used by Apache Kyuubi.
All relocated classes is under the package org.apache.kyuubi.shaded
, and the binary artifacts' name start with kyuubi-relocated-
.
This project is for Apache Kyuubi internal use. Included libs and/or their versions are subject to change at the dictate of Kyuubi without regard to the concern of others!
Apache Kyuubi is an open source project of The Apache Software Foundation (ASF).