Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump okhttp from 3.12.12 to 4.12.0 #6748

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump okhttp from 3.12.12 to 4.12.0 #6748

wants to merge 1 commit into from
+15 −2

Conversation

Madhukar525722
Copy link
Contributor

🔍 Description

Describe Your Solution 🔧

This is to fix CVE-2023-0833 and CVE-2023-3635 (for okio)
As there is no breaking change from okhttp 3 to 4, seems feasible - square/okhttp#4723

Types of changes 🔖

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Test Plan 🧪

Build and ran locally

Behavior Without This Pull Request ⚰️

Behavior With This Pull Request 🎉

Related Unit Tests

Checklist 📝

Be nice. Be informative.

@pan3793
Copy link
Member

pan3793 commented Oct 17, 2024

this upgrade brings Kotlin as a runtime dependency, it's too heavy for an HTTP client. if OkHttp3 is EOL, we need to switch to an alternative HTTP client instead of upgrading.

@codecov-commenter
Copy link

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 0.00%. Comparing base (04468a6) to head (767a8ad).

Additional details and impacted files 
@@          Coverage Diff           @@
##           master   #6748   +/-   ##
======================================
  Coverage    0.00%   0.00%           
======================================
  Files         684     684           
  Lines       42281   42281           
  Branches     5768    5768           
======================================
  Misses      42281   42281

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@Madhukar525722
Copy link
Contributor Author

HI @pan3793 , I didn't get the statement that kotlin is going to be heavy. What I see is runtime jar are in few MBs only as:
-rw-rw-r--. 1 kyuubi root 968 Oct 17 06:49 kotlin-stdlib-jdk8-1.8.21.jar
-rw-rw-r--. 1 kyuubi root 963 Oct 17 06:49 kotlin-stdlib-jdk7-1.8.21.jar
-rw-rw-r--. 1 kyuubi root 220K Oct 17 06:49 kotlin-stdlib-common-1.9.10.jar
-rw-rw-r--. 1 kyuubi root 1.6M Oct 17 06:49 kotlin-stdlib-1.8.21.jar

Could you please guide me to test the concerns/ implications?

@bowenliang123
Copy link
Contributor

It's way too heavy to bring Kotlin into kyuubi distribution, especially considering okhttp is an indirect transparent dependency for kyuubi.

kubernetes-client v6 release does introduce API implementation split, allowing choose client from OkHttp, JDK HttpClient or Jetty HttpClient.
https://github.com/fabric8io/kubernetes-client/blob/main/doc/MIGRATION-v6.md#apiimpl-split

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
kind:build
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Madhukar525722 @pan3793 @codecov-commenter @bowenliang123