This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a commit to branch branch-4.1
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/branch-4.1 by this push:
new 6ed6a997d8a [fix][sec] Eliminate commons-collections dependency
(#25024)
6ed6a997d8a is described below
commit 6ed6a997d8accac0b61cad545984d522f1d1588d
Author: Lari Hotari <[email protected]>
AuthorDate: Thu Nov 27 14:39:30 2025 +0200
[fix][sec] Eliminate commons-collections dependency (#25024)
(cherry picked from commit 081b4489ccec0411329a147d96dcdf2d5c209410)
---
distribution/server/src/assemble/LICENSE.bin.txt | 1 -
distribution/shell/src/assemble/LICENSE.bin.txt | 1 -
.../apache/bookkeeper/mledger/impl/ManagedCursorTest.java | 2 +-
pom.xml | 12 +++++++++++-
pulsar-client-admin-shaded/pom.xml | 1 -
pulsar-client-all/pom.xml | 1 -
pulsar-client-shaded/pom.xml | 1 -
7 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt
b/distribution/server/src/assemble/LICENSE.bin.txt
index 430819051e6..8820f1483cf 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -287,7 +287,6 @@ The Apache Software License, Version 2.0
- commons-codec-commons-codec-1.20.0.jar
- commons-io-commons-io-2.21.0.jar
- commons-logging-commons-logging-1.3.5.jar
- - commons-collections-commons-collections-3.2.2.jar
- org.apache.commons-commons-collections4-4.5.0.jar
- org.apache.commons-commons-compress-1.28.0.jar
- org.apache.commons-commons-configuration2-2.12.0.jar
diff --git a/distribution/shell/src/assemble/LICENSE.bin.txt
b/distribution/shell/src/assemble/LICENSE.bin.txt
index 4d4684e4a9f..5cb2a9f5e5c 100644
--- a/distribution/shell/src/assemble/LICENSE.bin.txt
+++ b/distribution/shell/src/assemble/LICENSE.bin.txt
@@ -345,7 +345,6 @@ The Apache Software License, Version 2.0
- commons-text-1.14.0.jar
- commons-compress-1.28.0.jar
- commons-beanutils-1.11.0.jar
- - commons-collections-3.2.2.jar
- commons-configuration2-2.12.0.jar
* Netty
- netty-buffer-4.1.128.Final.jar
diff --git
a/managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedCursorTest.java
b/managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedCursorTest.java
index e5ce27c488f..9cd597904fc 100644
---
a/managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedCursorTest.java
+++
b/managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedCursorTest.java
@@ -112,7 +112,7 @@ import
org.apache.bookkeeper.mledger.proto.MLDataFormats.ManagedCursorInfo;
import org.apache.bookkeeper.mledger.proto.MLDataFormats.PositionInfo;
import org.apache.bookkeeper.mledger.util.ManagedLedgerUtils;
import org.apache.bookkeeper.test.MockedBookKeeperTestCase;
-import org.apache.commons.collections.iterators.EmptyIterator;
+import org.apache.commons.collections4.iterators.EmptyIterator;
import org.apache.commons.lang3.mutable.MutableBoolean;
import org.apache.pulsar.common.api.proto.CommandSubscribe;
import org.apache.pulsar.common.api.proto.IntRange;
diff --git a/pom.xml b/pom.xml
index f2fadd1ba2b..7e20110788a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -252,7 +252,7 @@ flexible messaging model and an intuitive client
API.</description>
<debezium.mysql.version>9.4.0</debezium.mysql.version>
<jsonwebtoken.version>0.11.1</jsonwebtoken.version>
<opencensus.version>0.28.0</opencensus.version>
- <hadoop3.version>3.4.1</hadoop3.version>
+ <hadoop3.version>3.4.2</hadoop3.version>
<dnsjava3.version>3.6.2</dnsjava3.version>
<hdfs-offload-version3>${hadoop3.version}</hdfs-offload-version3>
<hbase.version>2.6.3-hadoop3</hbase.version>
@@ -645,6 +645,10 @@ flexible messaging model and an intuitive client
API.</description>
<groupId>io.grpc</groupId>
<artifactId>grpc-netty</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>commons-collections</groupId>
+ <artifactId>commons-collections</artifactId>
+ </exclusion>
</exclusions>
</dependency>
@@ -1744,6 +1748,12 @@ flexible messaging model and an intuitive client
API.</description>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>${commons-beanutils.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>commons-collections</groupId>
+ <artifactId>commons-collections</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
diff --git a/pulsar-client-admin-shaded/pom.xml
b/pulsar-client-admin-shaded/pom.xml
index a29571dd111..04cf0cb461b 100644
--- a/pulsar-client-admin-shaded/pom.xml
+++ b/pulsar-client-admin-shaded/pom.xml
@@ -128,7 +128,6 @@
<include>com.yahoo.datasketches:sketches-core</include>
<include>commons-*:*</include>
<include>commons-codec:commons-codec</include>
- <include>commons-collections:commons-collections</include>
<include>io.airlift:*</include>
<include>io.grpc:*</include>
<include>io.netty.incubator:*</include>
diff --git a/pulsar-client-all/pom.xml b/pulsar-client-all/pom.xml
index a5f580f18bc..ebb88b9c83b 100644
--- a/pulsar-client-all/pom.xml
+++ b/pulsar-client-all/pom.xml
@@ -171,7 +171,6 @@
<include>com.yahoo.datasketches:sketches-core</include>
<include>commons-*:*</include>
<include>commons-codec:commons-codec</include>
- <include>commons-collections:commons-collections</include>
<include>io.airlift:*</include>
<include>io.grpc:*</include>
<include>io.netty.incubator:*</include>
diff --git a/pulsar-client-shaded/pom.xml b/pulsar-client-shaded/pom.xml
index 5b8a3db5a5a..d4341bcd015 100644
--- a/pulsar-client-shaded/pom.xml
+++ b/pulsar-client-shaded/pom.xml
@@ -145,7 +145,6 @@
<include>com.yahoo.datasketches:sketches-core</include>
<include>commons-*:*</include>
<include>commons-codec:commons-codec</include>
- <include>commons-collections:commons-collections</include>
<include>io.airlift:*</include>
<include>io.netty.incubator:*</include>
<include>io.netty:*</include>
