Omid still uses protobuf-java:2.5.0, which is affected by CVEs (CVE-2024-7254, CVE-2015-5237), thus it would be beneficial to use the newer version 4.32.0.
One option is to upgrade the protobuf version in Omid, but that could result in multiple versions of protobuf-java being present on the classpath. A better option would be to shade protobuf-java, thus avoiding the above mentioned problem. Using other projects' shaded protobuf (like HBase or Hadoop) is not sufficient, since the version of protobuf-java present in those is determined by the corresponding parent project. As a result of this, phoenix-thirdparty would need a new release with version 2.2.0, and afterwards Omid could use the shaded protobuf in an upcoming release. Thanks, Norbert Meszaros
