Fix CVEs in google-cloud via dependency updates and tree tracing#1616
Fix CVEs in google-cloud via dependency updates and tree tracing#1616sidhdirenge wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Code Review
This pull request updates several dependency versions in the pom.xml file, including Apache Avro, Guava, Protocol Buffers, Jackson Databind, and Snappy Java. The reviewer recommends avoiding hardcoded version numbers within the dependency declarations. Instead, the project should continue using Maven properties (such as ${avro.version}, ${guava.version}, ${google.protobuf.java.version}, and ${jackson.core.version}) and update their definitions in the <properties> section to ensure POM consistency and maintainability.
| <groupId>org.apache.avro</groupId> | ||
| <artifactId>avro</artifactId> | ||
| <version>${avro.version}</version> | ||
| <version>1.11.4</version> |
There was a problem hiding this comment.
Instead of hardcoding the version 1.11.4 directly in the dependency, you should continue using the property ${avro.version}. The property avro.version is already defined as 1.11.4 in the <properties> section of this POM. Hardcoding it here bypasses the property and reduces maintainability.
| <version>1.11.4</version> | |
| <version>${avro.version}</version> |
| <groupId>com.google.guava</groupId> | ||
| <artifactId>guava</artifactId> | ||
| <version>${guava.version}</version> | ||
| <version>31.1-jre</version> |
There was a problem hiding this comment.
Instead of hardcoding the version 31.1-jre directly in the dependency, you should continue using the property ${guava.version} and update the <guava.version> property in the <properties> section (line 79) to 31.1-jre. This keeps the POM consistent and avoids leaving unused or outdated properties.
| <version>31.1-jre</version> | |
| <version>${guava.version}</version> |
| <groupId>com.google.protobuf</groupId> | ||
| <artifactId>protobuf-java</artifactId> | ||
| <version>${google.protobuf.java.version}</version> | ||
| <version>3.25.5</version> |
There was a problem hiding this comment.
Instead of hardcoding the version 3.25.5 directly in the dependency, you should continue using the property ${google.protobuf.java.version} and update the <google.protobuf.java.version> property in the <properties> section (line 77) to 3.25.5. This keeps the POM consistent and avoids leaving unused or outdated properties.
| <version>3.25.5</version> | |
| <version>${google.protobuf.java.version}</version> |
| <groupId>com.fasterxml.jackson.core</groupId> | ||
| <artifactId>jackson-databind</artifactId> | ||
| <version>${jackson.core.version}</version> | ||
| <version>2.14.0</version> |
There was a problem hiding this comment.
Instead of hardcoding the version 2.14.0 directly in the dependency, you should continue using the property ${jackson.core.version} and update the <jackson.core.version> property in the <properties> section (line 84) to 2.14.0. This keeps the POM consistent and avoids leaving unused or outdated properties.
| <version>2.14.0</version> | |
| <version>${jackson.core.version}</version> |
d49766a to
28f1b6b
Compare
28f1b6b to
0e39048
Compare
Traced dependency tree and updated snappy-java (1.1.10.5), avro (1.11.4), jackson-databind (2.14.0), protobuf-java (3.25.5), and guava (31.1-jre).