This is an automated email from the ASF dual-hosted git repository. yao pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/master by this push: new 9fb9cff6e1cb [SPARK-49120][BUILD] Bump Gson 2.11.0 9fb9cff6e1cb is described below commit 9fb9cff6e1cb73bafc16cbe07ab2c02f41ead988 Author: Cheng Pan <cheng...@apache.org> AuthorDate: Tue Aug 6 22:06:13 2024 +0800 [SPARK-49120][BUILD] Bump Gson 2.11.0 ### What changes were proposed in this pull request? Currently, Spark pulls Gson 2.2.4 from `hive-exec`, which is pretty old and [vulnerable](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647), this PR proposes to upgrade it to the latest version 2.11.0. <img width="697" alt="image" src="https://github.com/user-attachments/assets/f101ab3f-875c-4cc3-9692-48394c9ada3e"> ### Why are the changes needed? For security. ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? GHA. ### Was this patch authored or co-authored using generative AI tooling? No. Closes #47627 from pan3793/SPARK-49120. Authored-by: Cheng Pan <cheng...@apache.org> Signed-off-by: Kent Yao <y...@apache.org> --- dev/deps/spark-deps-hadoop-3-hive-2.3 | 2 +- pom.xml | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/dev/deps/spark-deps-hadoop-3-hive-2.3 b/dev/deps/spark-deps-hadoop-3-hive-2.3 index cec071466fc3..a4b236bc8b81 100644 --- a/dev/deps/spark-deps-hadoop-3-hive-2.3 +++ b/dev/deps/spark-deps-hadoop-3-hive-2.3 @@ -66,7 +66,7 @@ esdk-obs-java/3.20.4.2//esdk-obs-java-3.20.4.2.jar flatbuffers-java/24.3.25//flatbuffers-java-24.3.25.jar gcs-connector/hadoop3-2.2.21/shaded/gcs-connector-hadoop3-2.2.21-shaded.jar gmetric4j/1.0.10//gmetric4j-1.0.10.jar -gson/2.2.4//gson-2.2.4.jar +gson/2.11.0//gson-2.11.0.jar guava/14.0.1//guava-14.0.1.jar hadoop-aliyun/3.4.0//hadoop-aliyun-3.4.0.jar hadoop-annotations/3.4.0//hadoop-annotations-3.4.0.jar diff --git a/pom.xml b/pom.xml index fef759409416..286476a6c90b 100644 --- a/pom.xml +++ b/pom.xml @@ -197,6 +197,7 @@ <commons-pool2.version>2.12.0</commons-pool2.version> <datanucleus-core.version>4.1.17</datanucleus-core.version> <guava.version>14.0.1</guava.version> + <gson.version>2.11.0</gson.version> <janino.version>3.1.9</janino.version> <jersey.version>3.0.12</jersey.version> <joda.version>2.12.7</joda.version> @@ -572,6 +573,18 @@ <!-- End of shaded deps --> + <dependency> + <groupId>com.google.code.gson</groupId> + <artifactId>gson</artifactId> + <version>${gson.version}</version> + <exclusions> + <exclusion> + <groupId>com.google.errorprone</groupId> + <artifactId>error_prone_annotations</artifactId> + </exclusion> + </exclusions> + </dependency> + <!-- Provide a JAXB impl; no longer auto available in Java 9+ in the JDK --> <dependency> <groupId>org.glassfish.jaxb</groupId> --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org For additional commands, e-mail: commits-h...@spark.apache.org