Update apache thrift version in cadence client library
swamvenk opened this issue · 4 comments
Describe the bug
From the commit id of apace/thrift dependency I see that we are using v0.10.0 of apace/thrift. But we have multiple CVEs filed that needs updating the library to the latest version (v0.14.x)
To Reproduce
Is the issue reproducible?
- Yes
Steps to reproduce the behavior:
Everyone using cadence client library will get apache/thrift older versions as an implicit dependency and upon checking for security vulnerabilities we get the CVEs flagged
Expected behavior
Up-to-date apache/thrift dependency
Hi Cadence is moving towards gRPC and it’ll almost there. After migrate to gRPC you can turn off the thrift/tChannel ports. There will be a period that we will support both protocols until some time that we decided to deprecate thrift.
Would it solve this problem for you?
@longquanzheng I understand the move to gRPC, but you have broken releases, that are not upgradable. And memory leaks in previous versions (hopefully not in the newest - but no way to try). How can you fix that?
Given that it's a breaking change, and they did not release a new module version / repo to allow users to migrate gradually: there's little we can do, since our core RPC library (yarpc) depends on the old version, due to that breaking change.
Switching to gRPC is pretty much the only feasible option.
Also, while those are valid CVEs, they don't really apply to business-internal use. You control all clients and all client code generation. If you are exposing a cadence server to the public internet, then yeah, they're problematic... but I would definitely not recommend doing that.
👋 For what it's worth, we faced this same problem, and this was all we needed to fix it: https://github.com/digitalocean/cadence-client/pull/1/files
We've just been maintaining that fork and carrying that patch forward