Closed pjfanning closed 1 year ago
I would prefer to update the Jackson dependency unless there is some very strong technical reason otherwise (aside from trying to make Pekko 1.0.x, as close to BSL Akka as possible).
We already made exceptions to this rule (i.e. close to BSL akka) before ergo pekko-http with upstream paradox if the reasons are strong enough and considering the historic problems with supporting older Jackson versions along with the related fact that we may get some CVE in the future.
I also prefer to move forward with the version of the cassandra driver (compared to akka). We where already bitten by problems with the old driver and had to force override the cassandra-driver version to avoid problems.
Btw. with the latest cassandra driver there are also some CVE's https://docs.datastax.com/en/developer/java-driver/4.14/changelog/
Furthermore current CVEs on its own is already an accepted exception for the "close to Akka BSL version" rule.
I also prefer to move forward with the version of the cassandra driver (compared to akka). We where already bitten by problems with the old cassandra driver used by a-persistence-cassandra and had to force override the cassandra-driver version to avoid problems. Reverting pekko now will only make matters worse.
Btw. with the latest cassandra driver changelogs there are also some CVE's where they apparently upgraded jackson 2.12.2 to 2.13.2 ... :thinking: https://docs.datastax.com/en/developer/java-driver/4.14/changelog/ -> https://github.com/datastax/java-driver/commit/3b75607526f49c7f2dad08c5c31884d0dc6f4b84
We could also exclude the jackson dependency of the driver until we're ready to upgrade it across all projects.
As already mentioned, we have this version in production for a long time due to issues with the outdated versions Akka was having in use.
let's upgrade jackson - seems easiest and we've had users asking about a Jackson upgrade anyway due to some recent CVEs
last OSS akka release (1.0.6) depended on cassandra driver v4.6.1
fyi @nvollmar @jrudolph @mdedetrich
I'm neutral enough - I can see some benefit to just simply updating Jackson to latest v2.12 or latest v2.14 - but this revert might be closer to our usual aim as to trying to closely match the last OSS Akka releases.