Consider removing H2 dependency #5087
Comments
|
From @jvalkeal ... Lets follow up to see what Boot is doing in the version where H2 still has the CVE. IOW - if Boot has decided to leave it in we can follow suit based on the same principles. Also is the latest H2 lib w/o the CVE able to run in SCDF? |
github-actions
bot
added
status/need-feedback
markpollack
removed
the
status/need-feedback
|
Hi @onobc From a developer's point of view, it is bad to have unnecessary dependencies on the classpath, just because of a "local/developer" setup and examples. In a prod environment normally a persistent database is used. In some companies, an h2database dependency will always raise a red flag even without CVE reports. |
|
Hi @michael-wirth, It is not that we want to use H2 specifically, or that we want it on the classpath. Thanks for the feedback. |
|
GOAL: It should be easy to start a local env for quickstart, local dev, manual testing, etc.. Once H2 is removed from the class path here are some possible options to realize the above goal. Option 1: Provide a script that adds the H2 dep to the local server Option 2: Provide a script to start MariaDB locally in docker (it should output the command to start SCDF using the newly started MariaDB server) Option 3:. Provide an artifact(s) that include the H2 dep I am sure there are other options, just getting these thoughts queued up for when we get back to this. |
So....
The
H2config was split into its own config and made optional in #4802 as it was lighting up CVE scans.We quickly realized the missing dep. broke running locally w/
java -jaras well as many examples that do the same in the docs. Because of this I made the dependency non-optional here.As of now the dependency is still provided. We need to decide what we are going to do in this area (provide it or not).
Originally posted by @onobc in #5082 (comment)
The text was updated successfully, but these errors were encountered: