revert cassandra driver to 4.6.1 #41
Comments
|
I would prefer to update the Jackson dependency unless there is some very strong technical reason otherwise (aside from trying to make Pekko 1.0.x, as close to BSL Akka as possible). We already made exceptions to this rule (i.e. close to BSL akka) before ergo pekko-http with upstream paradox if the reasons are strong enough and considering the historic problems with supporting older Jackson versions along with the related fact that we may get some CVE in the future. |
Furthermore current CVEs on its own is already an accepted exception for the "close to Akka BSL version" rule. |
|
I also prefer to move forward with the version of the cassandra driver (compared to akka). Btw. with the latest cassandra driver changelogs there are also some CVE's where they apparently upgraded jackson 2.12.2 to 2.13.2 ... 🤔 |
|
We could also exclude the jackson dependency of the driver until we're ready to upgrade it across all projects. As already mentioned, we have this version in production for a long time due to issues with the outdated versions Akka was having in use. |
|
let's upgrade jackson - seems easiest and we've had users asking about a Jackson upgrade anyway due to some recent CVEs |
last OSS akka release (1.0.6) depended on cassandra driver v4.6.1
fyi @nvollmar @jrudolph @mdedetrich
I'm neutral enough - I can see some benefit to just simply updating Jackson to latest v2.12 or latest v2.14 - but this revert might be closer to our usual aim as to trying to closely match the last OSS Akka releases.
The text was updated successfully, but these errors were encountered: