Closed martinvisser closed 4 months ago
Hello!
Thanks for bringing this to our attention!
I'm not sure to understand what you're trying to do though: 4.19.1
is the version we currently rely on, which did not break the API yet.
We haven't made any upgrade to the latest ones yet (4.19.4
at the moment)
Shouldn't we make the necessary java-cf-env
changes when we start relying on those new versions? (instead of now)
Hello @anthonydahanne, we upgraded the version ourselves, basically because there was an upgrade. During our builds we didn't have any issues, but whilst trying to deploy with the java-buildpack it failed with the aforementioned error.
So, I guess what I'm asking is if there are any plans to upgrade json-io
. If that implies changes to java-cf-env
then I guess that's where the change needs to be made?
So, I guess what I'm asking is if there are any plans to upgrade json-io
eventually yes. But honestly, for now, as long as there isn't any vulnerabilities or major features missing, there's no rush I believe.
If that implies changes to java-cf-env then I guess that's where the change needs to be made?
Yeah, according to your issue we'll have to change java-cf-env code (a minor upgrade I imagine)
A final note though: if you use java-cfenv-all, you'll notice that json-io
is shaded into it; meaning you would not upgrade the version yourself (and you could actually ignore that dependency altogether) - maybe you have reasons not to use this "all in one" java-cfenv
(the jar injected by the java-buildpack
btw) , but in case you did not know about it, it's worth checking it I believe.
We are using the following dependency in our maven project, which does not use the "all" version unfortunately:
<dependency>
<groupId>io.pivotal.spring.cloud</groupId>
<artifactId>spring-cloud-services-starter-config-client</artifactId>
</dependency>
This dependency brings in json-io:
We got a notification this version of json-io contains a CVE, which is the main reason we upgraded it in the first place. Do you know if there is an alternative for the config-client starter which would use the shaded version perhaps? It doesn't really solve the CVE issue of course, but it would help with compatibility.
This dependency brings in json-io:
OK, then I guess the issue lies with https://github.com/pivotal-cf/spring-cloud-services-starters not consuming our latest release that relies on a java-cfenv free of CVEs
I've created this PR: https://github.com/pivotal-cf/spring-cloud-services-starters/pull/406
Do you know if there is an alternative for the config-client starter which would use the shaded version perhaps? It doesn't really solve the CVE issue of course, but it would help with compatibility.
Hum, I don't know, we should ask them - cc @kvmw
The author of json-io
added the API back, so after upgrading to its latest version the issue is gone. I guess we can close this one as the work should be done in the starters anyway.
As mentioned in https://github.com/jdereg/json-io/issues/274, a
NoSuchMethodError
is triggered afterjson-io
was updated. Would be appreciated if the compatibility could be fixed.