spuru9 opened a new pull request, #1114: URL: https://github.com/apache/flink-kubernetes-operator/pull/1114
## What is the purpose of the change This pull request bumps three direct dependencies to retire CVEs flagged by Trivy across the operator and example modules. All changes are direct version bumps within the same major lines — no `<dependencyManagement>` overrides on transitive dependencies. JIRA: [FLINK-39713](https://issues.apache.org/jira/browse/FLINK-39713) CVEs retired: - `log4j` (used directly by every module via `${log4j.version}`): CVE-2025-68161, CVE-2026-34477, CVE-2026-34478, CVE-2026-34479, CVE-2026-34480 — ~45 MEDIUM findings across operator, operator-api, autoscaler-standalone, kubernetes-standalone, and the three example modules. - `jackson-core` (consumed by operator and operator-api via the BOM imported in the root pom): GHSA-72hv-8253-57qq (Number Length Constraint Bypass in Async Parser). - Beam transitives in `examples/flink-beam-example` (kaml, okio, wire-runtime, kafka-clients, opentelemetry-api, parallel Netty copy): the bulk of the 37 example-only findings. Residual Netty / lz4-java / commons-lang3 CVEs flowing through `flink-runtime` remain open and will be retired by a future Flink minor bump that bundles Netty ≥ 4.1.133. Those are tracked separately. ## Brief change log - `pom.xml`: `log4j.version` 2.23.1 → 2.25.4 (patch-level bump within the 2.x line, binary-compatible) - `pom.xml`: `jackson-bom` 2.15.0 → 2.18.6 (minor bump within the 2.x line) - `examples/flink-beam-example/pom.xml`: `beam.version` 2.62.0 → 2.73.0 (`beam-runners-flink-1.19` still publishes at 2.73.0, so no runner artifact change is required) ## Verifying this change This change is already covered by existing tests. Steps used locally: - `./mvnw -DskipTests install` - `./mvnw verify` - `trivy fs --scanners vuln .` — confirmed the listed CVEs are cleared ## Does this pull request potentially affect one of the following parts: - Dependencies (does it add or upgrade a dependency): **yes** (version-only upgrades of existing direct dependencies) - The public API, i.e., is any changes to the `CustomResourceDescriptors`: no - Core observer or reconciler logic that is regularly executed: no ## Documentation - Does this pull request introduce a new feature? no -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
