I think this is the right course of action. Istvan
On Wed, Sep 17, 2025 at 1:24 PM Mészáros Norbert <[email protected]> wrote: > Omid still uses protobuf-java:2.5.0, which is affected by CVEs > (CVE-2024-7254, CVE-2015-5237), thus it would be beneficial to use the > newer version 4.32.0. > > One option is to upgrade the protobuf version in Omid, but that could > result in multiple versions of protobuf-java being present on the > classpath. > > A better option would be to shade protobuf-java, thus avoiding the above > mentioned problem. Using other projects' shaded protobuf (like HBase or > Hadoop) is not sufficient, since the version of protobuf-java present in > those is determined by the corresponding parent project. > > As a result of this, phoenix-thirdparty would need a new release with > version 2.2.0, and afterwards Omid could use the shaded protobuf in an > upcoming release. > > Thanks, > Norbert Meszaros > -- *István Tóth* | Sr. Staff Software Engineer *Email*: [email protected] cloudera.com <https://www.cloudera.com> [image: Cloudera] <https://www.cloudera.com/> [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> ------------------------------ ------------------------------
