Skip to content

chore(hive): Bump dependencies ahead of 25.7.0 #1100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: main
Choose a base branch
from

Conversation

NickLarsenNZ
Copy link
Member

@NickLarsenNZ NickLarsenNZ commented May 6, 2025

Part of #1087.

Definition of Done Checklist

Note

Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant.

Please make sure all these things are done and tick the boxes

  • Changes are OpenShift compatible
  • All added packages (via microdnf or otherwise) have a comment on why they are added
  • Things not downloaded from Red Hat repositories should be mirrored in the Stackable repository and downloaded from there
  • All packages should have (if available) signatures/hashes verified
  • Add an entry to the CHANGELOG.md file
  • Integration tests ran successfully
TIP: Running integration tests with a new product image

The image can be built and uploaded to the kind cluster with the following commands:

bake --product <product> --image-version <stackable-image-version>
kind load docker-image <image-tagged-with-the-major-version> --name=<name-of-your-test-cluster>

See the output of bake to retrieve the image tag for <image-tagged-with-the-major-version>.

@NickLarsenNZ NickLarsenNZ self-assigned this May 6, 2025
@NickLarsenNZ

This comment was marked as outdated.

@NickLarsenNZ NickLarsenNZ disabled auto-merge May 6, 2025 11:11
@NickLarsenNZ NickLarsenNZ requested review from lfrancke and removed request for lfrancke May 6, 2025 11:16
@NickLarsenNZ NickLarsenNZ assigned lfrancke and unassigned NickLarsenNZ May 6, 2025
@NickLarsenNZ NickLarsenNZ moved this from Development: Waiting for Review to Development: In Progress in Stackable Engineering May 6, 2025
@NickLarsenNZ NickLarsenNZ moved this from Development: In Progress to Ready for Development in Stackable Engineering May 6, 2025
@lfrancke lfrancke assigned NickLarsenNZ and unassigned lfrancke May 21, 2025
@lfrancke lfrancke moved this from Ready for Development to Development: In Progress in Stackable Engineering May 21, 2025
Note: Should have been done as part of #1118
I was getting the following error:

```
An unexpected error has occurred: CalledProcessError: command: ('/nix/store/15jzs4a11nqp4m1xvnw0rz9395anzjsm-nodejs-18.20.8/bin/node', '/run/current-system/sw/bin/npm', 'install', '--include=dev', '--include=prod', '--ignore-prepublish', '--no-progress', '--no-save')
return code: 1
stdout: (none)
stderr:
    npm error code EBADENGINE
    npm error engine Unsupported engine
    npm error engine Not compatible with your version of node/npm: markdownlint-cli@0.45.0
    npm error notsup Not compatible with your version of node/npm: markdownlint-cli@0.45.0
    npm error notsup Required: {"node":">=20"}
    npm error notsup Actual:   {"npm":"10.8.2","node":"v18.20.8"}
    npm error A complete log of this run can be found in: /home/nick/.npm/_logs/2025-05-28T10_40_07_463Z-debug-0.log
Check the log at /home/nick/.cache/pre-commit/pre-commit.log
```
@NickLarsenNZ NickLarsenNZ moved this from Development: In Progress to Development: Waiting for Review in Stackable Engineering May 28, 2025
@NickLarsenNZ
Copy link
Member Author

Notes on patching:

  • 🟢 postgres can be bumped for both 4.0.0 and 4.0.1 (not needed in 3.1.3)
  • 🔴 derby can't be bumped because the CVE isn't fixed until a version that required Java 21 (which Hive does not yet support).
  • 🔴 zookeeper is complicated. We apparently have 3.6.3, but the patch-bumps.txt 3.8.3 -> 3.8.4, so not even a patch bump. It is further complicated by a shaded dependency via hadoop.
  • 🔴 jackson-mapper-asl comes in via hadoop, so can't be resolved until hadoop is bumped.
  • 🔴 avro. We do have a direct dep, and could bump the patch, but is also comes in via hadoop, so does it solve much?
  • ⚪ no patches for 3.1.3 for the same reasons as above plus a bunch of hadoop deps that we are probably stuck with.

In summary, only the critical postgres CVE gets resolved for Hive. I will not work on other severities for now, just so I can close this off.

@NickLarsenNZ NickLarsenNZ requested a review from lfrancke May 28, 2025 10:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Development: Waiting for Review
Development

Successfully merging this pull request may close these issues.

2 participants