This is an automated email from the ASF dual-hosted git repository.
yao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/master by this push:
new 9fb9cff6e1cb [SPARK-49120][BUILD] Bump Gson 2.11.0
9fb9cff6e1cb is described below
commit 9fb9cff6e1cb73bafc16cbe07ab2c02f41ead988
Author: Cheng Pan <cheng...@apache.org>
AuthorDate: Tue Aug 6 22:06:13 2024 +0800
[SPARK-49120][BUILD] Bump Gson 2.11.0
### What changes were proposed in this pull request?
Currently, Spark pulls Gson 2.2.4 from `hive-exec`, which is pretty old and
[vulnerable](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647),
this PR proposes to upgrade it to the latest version 2.11.0.
<img width="697" alt="image"
src="https://github.com/user-attachments/assets/f101ab3f-875c-4cc3-9692-48394c9ada3e";>
### Why are the changes needed?
For security.
### Does this PR introduce _any_ user-facing change?
No.
### How was this patch tested?
GHA.
### Was this patch authored or co-authored using generative AI tooling?
No.
Closes #47627 from pan3793/SPARK-49120.
Authored-by: Cheng Pan <cheng...@apache.org>
Signed-off-by: Kent Yao <y...@apache.org>
---
dev/deps/spark-deps-hadoop-3-hive-2.3 | 2 +-
pom.xml | 13 +++++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/dev/deps/spark-deps-hadoop-3-hive-2.3
b/dev/deps/spark-deps-hadoop-3-hive-2.3
index cec071466fc3..a4b236bc8b81 100644
--- a/dev/deps/spark-deps-hadoop-3-hive-2.3
+++ b/dev/deps/spark-deps-hadoop-3-hive-2.3
@@ -66,7 +66,7 @@ esdk-obs-java/3.20.4.2//esdk-obs-java-3.20.4.2.jar
flatbuffers-java/24.3.25//flatbuffers-java-24.3.25.jar
gcs-connector/hadoop3-2.2.21/shaded/gcs-connector-hadoop3-2.2.21-shaded.jar
gmetric4j/1.0.10//gmetric4j-1.0.10.jar
-gson/2.2.4//gson-2.2.4.jar
+gson/2.11.0//gson-2.11.0.jar
guava/14.0.1//guava-14.0.1.jar
hadoop-aliyun/3.4.0//hadoop-aliyun-3.4.0.jar
hadoop-annotations/3.4.0//hadoop-annotations-3.4.0.jar
diff --git a/pom.xml b/pom.xml
index fef759409416..286476a6c90b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -197,6 +197,7 @@
<commons-pool2.version>2.12.0</commons-pool2.version>
<datanucleus-core.version>4.1.17</datanucleus-core.version>
<guava.version>14.0.1</guava.version>
+ <gson.version>2.11.0</gson.version>
<janino.version>3.1.9</janino.version>
<jersey.version>3.0.12</jersey.version>
<joda.version>2.12.7</joda.version>
@@ -572,6 +573,18 @@
<!-- End of shaded deps -->
+ <dependency>
+ <groupId>com.google.code.gson</groupId>
+ <artifactId>gson</artifactId>
+ <version>${gson.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>com.google.errorprone</groupId>
+ <artifactId>error_prone_annotations</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+
<!-- Provide a JAXB impl; no longer auto available in Java 9+ in the JDK
-->
<dependency>
<groupId>org.glassfish.jaxb</groupId>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org
For additional commands, e-mail: commits-h...@spark.apache.org
