damccorm commented on code in PR #34860:
URL: https://github.com/apache/beam/pull/34860#discussion_r2105111556
##########
sdks/java/io/expansion-service/build.gradle:
##########
@@ -33,6 +33,9 @@ applyJavaNature(
configurations.runtimeClasspath {
// Pin kafka-clients version due to <3.4.0 missing auth callback classes.
resolutionStrategy.force 'org.apache.kafka:kafka-clients:3.9.0'
+
+ // Pin org.apache.parquet:parquet-avro to a non-vulnerable version
compatible.
+ resolutionStrategy.force 'org.apache.parquet:parquet-avro:1.15.1'
Review Comment:
Do you know which dependenc(y|ies) currently cause parquet-avro to be
installed? I'm in favor of the change, but it would be good for us to know this
so that we can respond once the dependency is fixed. Once we figure out that
dependency FOO is causing the lower version of parquet-avro to be installed, we
should add a couple comments:
1) A comment here mentioning that this can be removed once that dependency
is upgraded and `./gradlew :sdks:java:io:expansion-service:dependencies
--configuration runtimeClasspath | grep parquet-avro` shows no entries
2) A comment next to dependency `FOO` mentioning that this should be removed
once that is upgraded to a version with a higher parquet-avro dependency.
Both should link to a tracking issue with context (e.g. like
https://github.com/apache/beam/commit/b2879858abe79ae2600ee4a45289eed4e1cb4978
does)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
