Arkadiusz Gasinski created BEAM-14118:
-----------------------------------------
Summary: beam-vendor-grpc-1_43_2 shades vulnerable Netty dependency
Key: BEAM-14118
URL: https://issues.apache.org/jira/browse/BEAM-14118
Project: Beam
Issue Type: Improvement
Components: runner-flink
Affects Versions: 2.37.0
Reporter: Arkadiusz Gasinski
The
[beam-vendor-grpc-1_43_2|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_43_2]
dependency (that is pulled transitively by the beam-runners-flink-1.13) shades
a vulnerable Netty version, i.e. 4.1.63.Final:
[https://mvnrepository.com/artifact/io.netty/netty-all/4.1.63.Final]
In turn, our Beam pipelines builds are marked as vulnerable and we're having
issues promoting them to higher environments.
Because Netty is shaded, we can't simply override the version in the build tool.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)