codelipenghui opened a new pull request, #24532:
URL: https://github.com/apache/pulsar/pull/24532
## Summary
This PR upgrades several dependencies to address critical security
vulnerabilities identified by OWASP dependency-check:
### Security Vulnerabilities Fixed
- **Kafka client**: 3.8.1 → 3.9.0
- Resolves: CVE-2025-27817 (CVSS 7.5), CVE-2025-27818 (CVSS 8.8)
- **Elasticsearch**: 8.12.1 → 8.15.3
- Resolves: CVE-2024-23450 (CVSS 7.5), CVE-2024-43709 (CVSS 7.5),
CVE-2024-23444 (CVSS 7.5)
- **MySQL Connector**: 8.0.30 → 8.0.33
- Resolves: CVE-2023-22102 (CVSS 8.3)
- **SQLite JDBC**: 3.42.0.0 → 3.47.1.0
- Resolves: CVE-2023-7104 (CVSS 7.3)
- **Alluxio**: 2.9.3 → 2.9.4
- Resolves: CVE-2023-38889 (CVSS 9.8) - **Critical vulnerability**
- **Azure Kusto SDK**: 5.0.4 → 5.2.0
- Resolves: CVE-2023-36415 (CVSS 8.8) via azure-identity dependency
### Impact
- **6 high-severity CVEs** resolved (CVSS 7.0-9.8)
- **1 critical vulnerability** (CVSS 9.8) eliminated
- All dependency upgrades maintain compatibility with existing functionality
### Files Modified
- `pom.xml` - Updated version properties for main dependencies
- `pulsar-io/alluxio/pom.xml` - Updated Alluxio version
- `pulsar-io/azure-data-explorer/pom.xml` - Updated Kusto SDK version
🤖 Generated with [Claude Code](https://claude.ai/code)
### Documentation
<!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. -->
- [ ] `doc` <!-- Your PR contains doc changes. -->
- [ ] `doc-required` <!-- Your PR changes impact docs and you will update
later -->
- [x] `doc-not-needed` <!-- Your PR changes do not impact docs -->
- [ ] `doc-complete` <!-- Docs have been already added -->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
