Don't dependency manage kotlin. Fix typo.

barchetta · Oct 4, 2023 · ecebefc · ecebefc
1 parent 05f302c
commit ecebefc
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 22 deletions.
diff --git a/dependencies/pom.xml b/dependencies/pom.xml
@@ -95,7 +95,6 @@
         <version.lib.jgit>6.7.0.202309050840-r</version.lib.jgit>
         <version.lib.junit>5.9.3</version.lib.junit>
         <version.lib.kafka>3.5.1</version.lib.kafka>
-        <version.lib.kotlin>1.8.0</version.lib.kotlin>
         <version.lib.log4j>2.18.0</version.lib.log4j>
         <version.lib.logback>1.4.0</version.lib.logback>
         <version.lib.mariadb-java-client>2.6.2</version.lib.mariadb-java-client>
@@ -131,7 +130,7 @@
         <version.lib.netty-io_uring>0.0.8.Final</version.lib.netty-io_uring>
         <version.lib.oci>3.21.0</version.lib.oci>
         <version.lib.ojdbc8>21.3.0.0</version.lib.ojdbc8>
-        <!-- Force upgrade okio for CVE-2023-0833. When okhttp 4.12.0 is available we can remove this -->
+        <!-- Force upgrade okio for CVE-2023-3635. When okhttp 4.12.0 is available we can remove this -->
         <version.lib.okio>3.4.0</version.lib.okio>
         <!-- Force upgrade okhttp3 for CVE-2023-0833 -->
         <version.lib.okhttp3>4.11.0</version.lib.okhttp3>
@@ -946,12 +945,6 @@
                 <artifactId>kafka-clients</artifactId>
                 <version>${version.lib.kafka}</version>
             </dependency>
-            <dependency>
-                <!-- required transitively by okhttp (used in OpenTelemetry through Jaeger) -->
-                <artifactId>kotlin-stdlib</artifactId>
-                <groupId>org.jetbrains.kotlin</groupId>
-                <version>${version.lib.kotlin}</version>
-            </dependency>
             <dependency>
                 <groupId>org.glassfish.jersey.media</groupId>
                 <artifactId>jersey-media-json-binding</artifactId>
@@ -1253,7 +1246,7 @@
                 <version>${version.lib.okhttp3}</version>
             </dependency>
             <dependency>
-                <!-- Force upgrade okio for CVE-2023-0833. When okhttp 4.12.0 is available we can remove this -->
+                <!-- Force upgrade okio for CVE-2023-3635. When okhttp 4.12.0 is available we can remove this -->
                 <groupId>com.squareup.okio</groupId>
                 <artifactId>okio</artifactId>
                 <version>${version.lib.okio}</version>

diff --git a/tracing/providers/jaeger/pom.xml b/tracing/providers/jaeger/pom.xml
@@ -41,13 +41,9 @@
             <groupId>io.opentelemetry</groupId>
             <artifactId>opentelemetry-sdk</artifactId>
         </dependency>
-        <!-- For dependency convergence of kotlin-stdlib -->
-        <!-- We force upgrade of okio because of CVE-2023-3635 -->
-        <!-- But okhttp3 depends on older version of kotlin-stdlib -->
-        <!-- we defer to version in okio, so must exclude it from okhttp3 -->
-        <!-- which is a transitive dependency of export-jaeger -->
-        <!-- Once okhttp3 4.12.0 is released we can remove this since it upgrades okio -->
-        <!-- https://github.com/square/okhttp/pull/7947 -->
+        <!-- For dependency convergence of kotlin-stdlib
+             Once okhttp3 4.12.0 is released we can remove this since it upgrades okio
+             https://github.com/square/okhttp/pull/7947 -->
         <dependency>
             <groupId>com.squareup.okio</groupId>
             <artifactId>okio</artifactId>
@@ -56,7 +52,8 @@
             <groupId>io.opentelemetry</groupId>
             <artifactId>opentelemetry-exporter-jaeger</artifactId>
             <exclusions>
-                <!-- For dependency convergence. See comment on okio -->
+                <!-- For dependency convergence. This excludes the transitive dep
+                     on kotlin from okhttp. We defer to the transitive dep from okio -->
                 <exclusion>
                     <groupId>org.jetbrains.kotlin</groupId>
                     <artifactId>kotlin-stdlib-jdk8</artifactId>
@@ -87,11 +84,6 @@
             <groupId>io.helidon.tracing</groupId>
             <artifactId>helidon-tracing</artifactId>
         </dependency>
-        <dependency>
-            <!-- used by okhttp in OpenTelemetry exporter -->
-            <artifactId>kotlin-stdlib</artifactId>
-            <groupId>org.jetbrains.kotlin</groupId>
-        </dependency>
         <dependency>
             <!-- redirecting Jaeger slf4j logging to JUL logging -->
             <groupId>org.slf4j</groupId>