hive icon indicating copy to clipboard operation
hive copied to clipboard

Published 20 hours ago verified publisher icon apache

HIVE-28164: Remove log4j transitive dependency

Open Aggarwal-Raghav opened this issue 10 months ago • 6 comments

What changes were proposed in this pull request?

There are dependency like accumulo and slf4j bringing log4j vulnerable jars in dependency tree. There are few dependencies also which don't appear in dependecy tree but are bringing old and vulnerable log4j. This can be observed in local m2 repo cache.

Why are the changes needed?

For CVE's and security reasons.

Does this PR introduce any user-facing change?

NO

Is the change a dependency upgrade?

Yes, here is new dependency tree: new-dependency-tree.txt

How was this patch tested?

Will see the UT from CI

Aggarwal-Raghav avatar Mar 29 '24 11:03 Aggarwal-Raghav