kyuubi icon indicating copy to clipboard operation
kyuubi copied to clipboard

Published 20 hours ago verified publisher icon apache

Bump okhttp from 3.12.12 to 4.12.0

Open Madhukar525722 opened this issue 1 year ago • 4 comments
trafficstars

:mag: Description

Describe Your Solution 🔧

This is to fix CVE-2023-0833 and CVE-2023-3635 (for okio) As there is no breaking change from okhttp 3 to 4, seems feasible - https://github.com/square/okhttp/issues/4723

Types of changes :bookmark:

  • [ ] Bugfix (non-breaking change which fixes an issue)
  • [ ] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to change)

Test Plan 🧪

Build and ran locally

Behavior Without This Pull Request :coffin:

Behavior With This Pull Request :tada:

Related Unit Tests

Checklist 📝

Be nice. Be informative.

Madhukar525722 avatar Oct 17 '24 07:10 Madhukar525722

this upgrade brings Kotlin as a runtime dependency, it's too heavy for an HTTP client. if OkHttp3 is EOL, we need to switch to an alternative HTTP client instead of upgrading.

pan3793 avatar Oct 17 '24 08:10 pan3793

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 0.00%. Comparing base (04468a6) to head (767a8ad). Report is 82 commits behind head on master.

Additional details and impacted files 
@@          Coverage Diff           @@
##           master   #6748   +/-   ##
======================================
  Coverage    0.00%   0.00%           
======================================
  Files         684     684           
  Lines       42281   42281           
  Branches     5768    5768           
======================================
  Misses      42281   42281

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov-commenter avatar Oct 17 '24 10:10 codecov-commenter

HI @pan3793 , I didn't get the statement that kotlin is going to be heavy. What I see is runtime jar are in few MBs only as: -rw-rw-r--. 1 kyuubi root 968 Oct 17 06:49 kotlin-stdlib-jdk8-1.8.21.jar -rw-rw-r--. 1 kyuubi root 963 Oct 17 06:49 kotlin-stdlib-jdk7-1.8.21.jar -rw-rw-r--. 1 kyuubi root 220K Oct 17 06:49 kotlin-stdlib-common-1.9.10.jar -rw-rw-r--. 1 kyuubi root 1.6M Oct 17 06:49 kotlin-stdlib-1.8.21.jar

Could you please guide me to test the concerns/ implications?

Madhukar525722 avatar Oct 17 '24 11:10 Madhukar525722

It's way too heavy to bring Kotlin into kyuubi distribution, especially considering okhttp is an indirect transparent dependency for kyuubi.

kubernetes-client v6 release does introduce API implementation split, allowing choose client from OkHttp, JDK HttpClient or Jetty HttpClient. https://github.com/fabric8io/kubernetes-client/blob/main/doc/MIGRATION-v6.md#apiimpl-split

bowenliang123 avatar Oct 18 '24 03:10 bowenliang123

Thanks for the PR! This PR is being closed due to inactivity. This isn't a judgement on the merit of the PR in any way. If this is still an issue with the latest version of Kyuubi, please reopen it and ask a committer to remove the Stale tag!

Thank you for using Kyuubi!

github-actions[bot] avatar Jan 30 '25 00:01 github-actions[bot]