[fs] Force CVE-patched commons-lang3 and snappy-java in hadoop-shaded#8560
Open
thswlsqls wants to merge 1 commit into
Open
[fs] Force CVE-patched commons-lang3 and snappy-java in hadoop-shaded#8560thswlsqls wants to merge 1 commit into
thswlsqls wants to merge 1 commit into
Conversation
The paimon-hadoop-shaded NOTICE already declares commons-lang3:3.18.0 and snappy-java:1.1.10.8 (from CVE fixes apache#6781 and apache#7383), but the shaded jar still bundled hadoop-common 3.3.4's transitive 3.12.0 and 1.1.8.2 because those versions were never pinned here. Add dependencyManagement overrides (mirroring the existing commons-beanutils security bump) so the shaded jar bundles the versions the NOTICE claims. Generated-by: Claude Code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
fix #8558
paimon-hadoop-shaded's NOTICE declarescommons-lang3:3.18.0andsnappy-java:1.1.10.8, but the shaded jar bundled the transitive3.12.0/1.1.8.2fromhadoop-common:3.3.4— the CVE fixes [core] Bump commons-lang3 to version 3.18.0 to avoid CVE-2025-48924 #6781 (CVE-2025-48924) and [core] upgrade snappy-java to 1.1.10.8 due to CVE #7383 only touched NOTICE / an inert root property, so they never reached this artifact.dependencyManagementoverrides pinning both to the versions the NOTICE already declares, mirroring the existingcommons-beanutilssecurity bump in the same pom. No NOTICE change needed.paimon-hadoop-uberand the oss/s3/obs/cosn/azure-implmodules, which bundle hadoop through this module.Tests
commons-beanutilsbump — no unit test added.mvn -pl paimon-filesystems/paimon-hadoop-shaded dependency:treenow resolvescommons-lang3:3.18.0andsnappy-java:1.1.10.8.mvn -pl paimon-filesystems/paimon-hadoop-shaded clean installpasses (shade + checkstyle + rat); the shaded jar bundles commons-lang3 3.18.0 and snappy-java 1.1.10.8.