Bump version for few dependencies#109
Conversation
| jetty = "12.1.9" | ||
| netty = "4.1.133.Final" | ||
| jetty = "12.1.10" | ||
| netty = "4.2.15.Final" |
There was a problem hiding this comment.
Keep netty on the same major release please - 4.1.x
There was a problem hiding this comment.
any specific reason?
There was a problem hiding this comment.
we need some testing/validation before netty major version upgrade?
There was a problem hiding this comment.
Yes - we don't use netty directly, we depend on it via grpc. So when we upgrade it, we're swapping the version the grpc libs compiled/tested against out at runtime. For patch releases that's fine, but the upgrade process from 4.1->4.2 has many gotchas that we don't want to (and in some cases, aren't able to) account for: https://netty.io/wiki/netty-4.2-migration-guide.html
Once grpc itself updates it's netty version, we can. But in the meantime there shouldn't be any CVEs that appear on 4.1 and not 4.2, 4.1 is much more widely adopted and both are maintained. Is there a particular CVE you're looking at?
Description
I have bumped the jetty version from 12.1.9 to 12.1.10 to resolve a vulnerability
Testing
Please describe the tests that you ran to verify your changes. Please summarize what did you test and what needs to be tested e.g. deployed and tested helm chart locally.
Checklist:
Documentation
Make sure that you have documented corresponding changes in this repository or hypertrace docs repo if required.