lhotari commented on PR #24959: URL: https://github.com/apache/pulsar/pull/24959#issuecomment-3502089250
> This PR removes the transitive dependency reactor-netty-http from the Azure Data Explorer module. > The module was bringing in io.projectreactor.netty classes that expose the project to [CVE-2025-22227](https://github.com/advisories/GHSA-4q2v-9p7v-3v22), affecting older versions of Reactor Netty through unsafe HTTP handling behavior. Removing transitive dependencies could break some functionality. The preferred approach would be to upgrade the dependency that pulls in a dependency (`kusto.sdk.version` in this case, https://central.sonatype.com/artifact/com.microsoft.azure.kusto/kusto-data/versions). An alternative approach would be to enforce reactor-netty-http version to a compatible version that includes the fix. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
