-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update apache thrift version in cadence client library #1128
Comments
Hi Cadence is moving towards gRPC and it’ll almost there. After migrate to gRPC you can turn off the thrift/tChannel ports. There will be a period that we will support both protocols until some time that we decided to deprecate thrift. Would it solve this problem for you? |
@longquanzheng I understand the move to gRPC, but you have broken releases, that are not upgradable. And memory leaks in previous versions (hopefully not in the newest - but no way to try). How can you fix that? |
Given that it's a breaking change, and they did not release a new module version / repo to allow users to migrate gradually: there's little we can do, since our core RPC library (yarpc) depends on the old version, due to that breaking change. Switching to gRPC is pretty much the only feasible option. Also, while those are valid CVEs, they don't really apply to business-internal use. You control all clients and all client code generation. If you are exposing a cadence server to the public internet, then yeah, they're problematic... but I would definitely not recommend doing that. |
👋 For what it's worth, we faced this same problem, and this was all we needed to fix it: https://github.com/digitalocean/cadence-client/pull/1/files We've just been maintaining that fork and carrying that patch forward |
Describe the bug
From the commit id of apace/thrift dependency I see that we are using v0.10.0 of apace/thrift. But we have multiple CVEs filed that needs updating the library to the latest version (v0.14.x)
To Reproduce
Is the issue reproducible?
Steps to reproduce the behavior:
Everyone using cadence client library will get apache/thrift older versions as an implicit dependency and upon checking for security vulnerabilities we get the CVEs flagged
Expected behavior
Up-to-date apache/thrift dependency
The text was updated successfully, but these errors were encountered: