Re: security vulnerability: janusgraph-full-1.0.0-rc1: in ./lib ( netty-all.4.1.58.Final) as well as ./lib/gremlin-console-3.6.1.jar & gremlin-driver.3.6.1.jar (netty-all.4.1.77.Final)


Hi Yingjie,

Still not clear to me.
  1. what do you mean with "they embed netty-all.4.1.77.Final.jar"? The gremlin jars only contain the code from Tinkerpop, no netty bytecode.
  2. the Cassandra lib directory need not be used, it is only included to run a local Cassandra instance for the bin/ script. So, you can simply remove the cassandra directory and still use gremlin-console.
Also note that there is a separate thread for feedback on janusgraph-1.0.0-rc1, but it is OK to have the current discussion here to find out what the actual issue is.


On Wed, Jan 25, 2023 at 01:16 PM, Yingjie Li wrote:
embed netty-all.4.1.77.Final.jar

Join { to automatically receive all group messages.