This is an automated email from the ASF dual-hosted git repository.

wu-sheng pushed a commit to branch fix/clear-cve-dependabot-alerts
in repository https://gitbox.apache.org/repos/asf/skywalking.git

commit cc1b8fca3074f2303cbe3c731cf2f680a137f140
Author: Wu Sheng <[email protected]>
AuthorDate: Tue Jun 16 23:00:29 2026 +0800

    Clear CVE Dependabot alerts: Curator/ZooKeeper, assertj, e2e Java/Python 
fixtures
    
    Shipped (oap-server-bom + LICENSE + docs):
    - Apache Curator 4.3.0 -> 5.9.0 (curator-test too) and ZooKeeper 3.5.7 -> 
3.9.5,
      bumped together (Curator 5.x is the line carrying the ZK 3.9.x client). 
Clears
      CVE-2023-44981. OAP is a ZK client only so the server-side bug was never
      reachable, but the bundled jar tripped Dependabot. Plugins use only stable
      Curator APIs; no source changes. Supported ZooKeeper server version is 
now 3.5+
      (3.4.x dropped by Curator 5.x). LICENSE + cluster docs + application.yml 
updated.
    
    Build/test scope:
    - assertj-core 3.20.2 -> 3.27.7 (CVE-2026-24400, test scope only).
    
    e2e test fixtures (test/e2e-v2, never shipped):
    - guava -> 32.0.0-jre, kafka-clients -> 3.9.2, log4j-core -> 2.25.4,
      logback -> 1.2.13 (Java-8 line), json-path -> 2.9.0, flask -> 3.1.3,
      protobuf -> 4.25.8.
    
    The 17 Go-fixture alerts require a go1.24 toolchain (grpc 1.79.3 / x-crypto 
0.45
    need go 1.24, above skywalking-go's published go1.23 ceiling) and are 
handled
    separately: skywalking-go go1.24 enablement + e2e go fixture migration.
---
 dist-material/release-docs/LICENSE                         | 14 +++++++-------
 docs/en/changes/changes.md                                 |  2 ++
 docs/en/setup/backend/backend-cluster.md                   |  6 +++---
 oap-server-bom/pom.xml                                     |  6 +++---
 .../server-starter/src/main/resources/application.yml      |  3 +--
 pom.xml                                                    |  2 +-
 test/e2e-v2/cases/airflow/mock/requirements-replay.txt     |  4 ++--
 .../java-test-service/e2e-mock-baseline-server/pom.xml     |  2 +-
 test/e2e-v2/java-test-service/e2e-mock-sender/pom.xml      |  2 +-
 test/e2e-v2/java-test-service/e2e-service-provider/pom.xml |  6 +++---
 test/e2e-v2/java-test-service/pom.xml                      |  6 +++---
 11 files changed, 27 insertions(+), 26 deletions(-)

diff --git a/dist-material/release-docs/LICENSE 
b/dist-material/release-docs/LICENSE
index 614f378faa..0776a406b0 100644
--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -323,10 +323,10 @@ The text of each license is the standard Apache 2.0 
license.
     
https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.26.2 
Apache-2.0
     https://mvnrepository.com/artifact/org.apache.commons/commons-lang3/3.18.0 
Apache-2.0
     https://mvnrepository.com/artifact/org.apache.commons/commons-text/1.4 
Apache-2.0
-    https://mvnrepository.com/artifact/org.apache.curator/curator-client/4.3.0 
Apache-2.0
-    
https://mvnrepository.com/artifact/org.apache.curator/curator-framework/4.3.0 
Apache-2.0
-    
https://mvnrepository.com/artifact/org.apache.curator/curator-recipes/4.3.0 
Apache-2.0
-    
https://mvnrepository.com/artifact/org.apache.curator/curator-x-discovery/4.3.0 
Apache-2.0
+    https://mvnrepository.com/artifact/org.apache.curator/curator-client/5.9.0 
Apache-2.0
+    
https://mvnrepository.com/artifact/org.apache.curator/curator-framework/5.9.0 
Apache-2.0
+    
https://mvnrepository.com/artifact/org.apache.curator/curator-recipes/5.9.0 
Apache-2.0
+    
https://mvnrepository.com/artifact/org.apache.curator/curator-x-discovery/5.9.0 
Apache-2.0
     
https://mvnrepository.com/artifact/org.apache.httpcomponents/httpasyncclient/4.1.5
 Apache-2.0
     
https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient/4.5.13 
Apache-2.0
     
https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore/4.4.16 
Apache-2.0
@@ -335,9 +335,9 @@ The text of each license is the standard Apache 2.0 license.
     
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api/2.25.4 
Apache-2.0
     
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.25.4 
Apache-2.0
     
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-slf4j-impl/2.25.4
 Apache-2.0
-    
https://mvnrepository.com/artifact/org.apache.yetus/audience-annotations/0.5.0 
Apache-2.0
-    https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper/3.5.7 
Apache-2.0
-    
https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper-jute/3.5.7 
Apache-2.0
+    
https://mvnrepository.com/artifact/org.apache.yetus/audience-annotations/0.12.0 
Apache-2.0
+    https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper/3.9.5 
Apache-2.0
+    
https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper-jute/3.9.5 
Apache-2.0
     https://mvnrepository.com/artifact/org.freemarker/freemarker/2.3.31 
Apache-2.0
     
https://mvnrepository.com/artifact/org.jetbrains.kotlin/kotlin-reflect/1.7.10 
Apache-2.0
     
https://mvnrepository.com/artifact/org.jetbrains.kotlin/kotlin-stdlib/1.7.10 
Apache-2.0
diff --git a/docs/en/changes/changes.md b/docs/en/changes/changes.md
index 0de690baf9..2cc1768421 100644
--- a/docs/en/changes/changes.md
+++ b/docs/en/changes/changes.md
@@ -301,6 +301,8 @@
 * Add `@Stream(allowBootReshape = true)` opt-in for additive boot-time reshape 
of BanyanDB streams / measures. Code-defined stream classes (e.g. 
`AlarmRecord`) can now annotate their schema as eligible for in-place additive 
update at OAP boot — a new `@Column` is appended to the live tag-family / 
fields via `client.update` instead of being silently rejected with 
`SKIPPED_SHAPE_MISMATCH` (which previously forced operators to drop the measure 
/ stream and lose historical rows). Additive in [...]
 * Mask keywords `trustStorePass`, `keyStorePass` by default.
 * Bump up dependencies to clear CVE alerts on shipped OAP jars: log4j `2.25.3` 
→ `2.25.4`, jackson `2.18.5` → `2.18.6`, kafka-clients `3.4.0` → `3.9.2`, 
postgresql `42.4.4` → `42.7.11`, commons-compress `1.21` → `1.26.2`.
+* Bump Apache Curator `4.3.0` → `5.9.0` and Apache ZooKeeper `3.5.7` → `3.9.5` 
together to clear CVE-2023-44981 (the bundled ZooKeeper jar carried it; OAP is 
a ZooKeeper client only, so the server-side bug was never reachable, but the 
jar tripped Dependabot). The cluster-zookeeper and configuration-zookeeper 
plugins use only stable Curator APIs, so no source changes were required. 
Operator-facing change: the supported ZooKeeper server version is now 3.5+ — 
ZooKeeper 3.4.x is no longer su [...]
+* Bump test-scope assertj-core `3.20.2` → `3.27.7` to clear CVE-2026-24400 
(XXE in `isXmlEqualTo`, not used by any test).
 * Fix: continuous profiling policy validation now rejects a threshold / count 
of `0` to match the error messages and rover's `value >= threshold` trigger 
semantics (a `0` threshold would always trigger). CPU percent and HTTP error 
rate are tightened from `[0-100]` to `(0-100]`.
 * Fix wrong BanyanDB resource options in record data.
 * Align the default BanyanDB stage `segmentInterval` values so each coarser 
stage is an integer multiple of the finer one (`records` cold `3` → `4`, 
`metricsMinute` cold `5` → `6`, `metricsHour` warm `7` → `10` and cold `15` → 
`20`), keeping hot → warm → cold lifecycle migration on the cheap whole-segment 
fast path.
diff --git a/docs/en/setup/backend/backend-cluster.md 
b/docs/en/setup/backend/backend-cluster.md
index ff1ea0e09f..c7ed2f55fa 100644
--- a/docs/en/setup/backend/backend-cluster.md
+++ b/docs/en/setup/backend/backend-cluster.md
@@ -82,7 +82,7 @@ You could have two options
 Zookeeper is a very common and widely used cluster coordinator. Set the 
**cluster/selector** to **zookeeper** in the yml
 to enable it.
 
-Required Zookeeper version: 3.5+
+Supported Zookeeper server version: 3.5+. The bundled ZooKeeper client library 
is 3.9.x.
 
 ```yaml
 cluster:
@@ -92,11 +92,11 @@ cluster:
 
 - `hostPort` is the list of zookeeper servers. Format is 
`IP1:PORT1,IP2:PORT2,...,IPn:PORTn`
 - `enableACL`
-  enable [Zookeeper 
ACL](https://zookeeper.apache.org/doc/r3.5.5/zookeeperProgrammers.html#sc_ZooKeeperAccessControl)
 to
+  enable [Zookeeper 
ACL](https://zookeeper.apache.org/doc/r3.9.3/zookeeperProgrammers.html#sc_ZooKeeperAccessControl)
 to
   control access to its znode.
 - `schema` is Zookeeper ACL schemas.
 - `expression` is a expression of ACL. The format of the expression is 
specific to
-  the 
[schema](https://zookeeper.apache.org/doc/r3.5.5/zookeeperProgrammers.html#sc_BuiltinACLSchemes).
+  the 
[schema](https://zookeeper.apache.org/doc/r3.9.3/zookeeperProgrammers.html#sc_BuiltinACLSchemes).
 - `hostPort`, `baseSleepTimeMs` and `maxRetries` are settings of Zookeeper 
curator client.
 
 Note:
diff --git a/oap-server-bom/pom.xml b/oap-server-bom/pom.xml
index 7a08c4593b..81768d79db 100644
--- a/oap-server-bom/pom.xml
+++ b/oap-server-bom/pom.xml
@@ -37,7 +37,7 @@
         <okhttp.version>3.14.9</okhttp.version>
         <httpclient.version>4.5.13</httpclient.version>
         <joda-time.version>2.10.5</joda-time.version>
-        <zookeeper.version>3.5.7</zookeeper.version>
+        <zookeeper.version>3.9.5</zookeeper.version>
         <guava.version>32.0.1-jre</guava.version>
         <snakeyaml.version>2.0</snakeyaml.version>
         <protobuf-java.version>4.33.1</protobuf-java.version>
@@ -54,8 +54,8 @@
         <simpleclient.version>0.6.0</simpleclient.version>
         <apollo.version>1.8.0</apollo.version>
         <nacos.version>2.3.2</nacos.version>
-        <curator.version>4.3.0</curator.version>
-        <curator-test.version>2.12.0</curator-test.version>
+        <curator.version>5.9.0</curator.version>
+        <curator-test.version>5.9.0</curator-test.version>
         <etcd4j.version>2.18.0</etcd4j.version>
         <freemarker.version>2.3.31</freemarker.version>
         <javaassist.version>3.25.0-GA</javaassist.version>
diff --git a/oap-server/server-starter/src/main/resources/application.yml 
b/oap-server/server-starter/src/main/resources/application.yml
index e02938cc8e..089f6729bd 100644
--- a/oap-server/server-starter/src/main/resources/application.yml
+++ b/oap-server/server-starter/src/main/resources/application.yml
@@ -16,8 +16,7 @@
 cluster:
   selector: ${SW_CLUSTER:standalone}
   standalone:
-  # Please check your ZooKeeper is 3.5+, However, it is also compatible with 
ZooKeeper 3.4.x. Replace the ZooKeeper 3.5+
-  # library the oap-libs folder with your ZooKeeper 3.4.x library.
+  # Supported ZooKeeper server version: 3.5+. The bundled ZooKeeper client 
library is 3.9.x.
   zookeeper:
     namespace: ${SW_NAMESPACE:""}
     hostPort: ${SW_CLUSTER_ZK_HOST_PORT:localhost:2181}
diff --git a/pom.xml b/pom.xml
index 18490541ab..75696d88a4 100755
--- a/pom.xml
+++ b/pom.xml
@@ -182,7 +182,7 @@
         
<maven-checkstyle-plugin.version>3.1.0</maven-checkstyle-plugin.version>
         <jmh.version>1.37</jmh.version>
         <checkstyle.fails.on.error>true</checkstyle.fails.on.error>
-        <assertj-core.version>3.20.2</assertj-core.version>
+        <assertj-core.version>3.27.7</assertj-core.version>
         <cyclonedx-maven-plugin.version>2.8.0</cyclonedx-maven-plugin.version>
         <flatten-plugin-version>1.6.0</flatten-plugin-version>
 
diff --git a/test/e2e-v2/cases/airflow/mock/requirements-replay.txt 
b/test/e2e-v2/cases/airflow/mock/requirements-replay.txt
index 80c4250e3b..2e302eda69 100644
--- a/test/e2e-v2/cases/airflow/mock/requirements-replay.txt
+++ b/test/e2e-v2/cases/airflow/mock/requirements-replay.txt
@@ -1,4 +1,4 @@
-flask==3.0.3
+flask==3.1.3
 grpcio==1.62.2
-protobuf==4.25.3
+protobuf==4.25.8
 opentelemetry-proto==1.24.0
diff --git a/test/e2e-v2/java-test-service/e2e-mock-baseline-server/pom.xml 
b/test/e2e-v2/java-test-service/e2e-mock-baseline-server/pom.xml
index e24dc67e3a..f1f91a0223 100644
--- a/test/e2e-v2/java-test-service/e2e-mock-baseline-server/pom.xml
+++ b/test/e2e-v2/java-test-service/e2e-mock-baseline-server/pom.xml
@@ -58,7 +58,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>23.0</version>
+            <version>32.0.0-jre</version>
         </dependency>
         <dependency>
             <groupId>io.grpc</groupId>
diff --git a/test/e2e-v2/java-test-service/e2e-mock-sender/pom.xml 
b/test/e2e-v2/java-test-service/e2e-mock-sender/pom.xml
index 922f7ed5e2..29dedb3b58 100644
--- a/test/e2e-v2/java-test-service/e2e-mock-sender/pom.xml
+++ b/test/e2e-v2/java-test-service/e2e-mock-sender/pom.xml
@@ -61,7 +61,7 @@
         <dependency>
             <groupId>com.jayway.jsonpath</groupId>
             <artifactId>json-path</artifactId>
-            <version>2.7.0</version>
+            <version>2.9.0</version>
         </dependency>
     </dependencies>
     <build>
diff --git a/test/e2e-v2/java-test-service/e2e-service-provider/pom.xml 
b/test/e2e-v2/java-test-service/e2e-service-provider/pom.xml
index 2de07cc331..74b73f137c 100644
--- a/test/e2e-v2/java-test-service/e2e-service-provider/pom.xml
+++ b/test/e2e-v2/java-test-service/e2e-service-provider/pom.xml
@@ -35,8 +35,8 @@
 
     <properties>
         <log4j.version>1.2.17</log4j.version>
-        <log4j2.version>2.17.1</log4j2.version>
-        <logback.version>1.2.3</logback.version>
+        <log4j2.version>2.25.4</log4j2.version>
+        <logback.version>1.2.13</logback.version>
     </properties>
 
     <dependencies>
@@ -109,7 +109,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>23.0</version>
+            <version>32.0.0-jre</version>
         </dependency>
 
     </dependencies>
diff --git a/test/e2e-v2/java-test-service/pom.xml 
b/test/e2e-v2/java-test-service/pom.xml
index f7206b423a..1a0e04524e 100644
--- a/test/e2e-v2/java-test-service/pom.xml
+++ b/test/e2e-v2/java-test-service/pom.xml
@@ -50,11 +50,11 @@
         <spring.cloud.version>2.1.2.RELEASE</spring.cloud.version>
         <jupeter.version>5.6.0</jupeter.version>
         <jackson.version>2.9.7</jackson.version>
-        <guava.version>30.1.1-jre</guava.version>
+        <guava.version>32.0.0-jre</guava.version>
         <h2.version>2.1.210</h2.version>
         <mysql.version>8.0.13</mysql.version>
         <lombok.version>1.18.40</lombok.version>
-        <kafka-clients.version>2.4.1</kafka-clients.version>
+        <kafka-clients.version>3.9.2</kafka-clients.version>
 
         <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
         <maven-compiler-plugin.version>3.13.0</maven-compiler-plugin.version>
@@ -120,7 +120,7 @@
         <dependency>
             <groupId>org.apache.kafka</groupId>
             <artifactId>kafka-clients</artifactId>
-            <version>2.8.0</version>
+            <version>${kafka-clients.version}</version>
         </dependency>
 
     </dependencies>

Reply via email to