(flink) branch release-1.19 updated: [FLINK-33571][table] Upgrade json-path from 2.7.0 to 2.9.0

[afedulov]

This is an automated email from the ASF dual-hosted git repository.

afedulov pushed a commit to branch release-1.19
in repository https://gitbox.apache.org/repos/asf/flink.git


The following commit(s) were added to refs/heads/release-1.19 by this push:
     new 3b334bd1b0d [FLINK-33571][table] Upgrade json-path from 2.7.0 to 2.9.0
3b334bd1b0d is described below

commit 3b334bd1b0d016259cc2a2dbe97614c699954ebb
Author: Thomas Cooper <c...@tomcooper.dev>
AuthorDate: Tue Nov 26 18:30:04 2024 +0000

    [FLINK-33571][table] Upgrade json-path from 2.7.0 to 2.9.0
    
    
    Signed-off-by: Thomas Cooper <c...@tomcooper.dev>
---
 flink-table/flink-table-calcite-bridge/pom.xml               | 12 ++++++++++++
 .../flink-table-runtime/src/main/resources/META-INF/NOTICE   |  2 +-
 flink-table/pom.xml                                          |  2 +-
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/flink-table/flink-table-calcite-bridge/pom.xml 
b/flink-table/flink-table-calcite-bridge/pom.xml
index f5c76db9298..566dc6e8d5d 100644
--- a/flink-table/flink-table-calcite-bridge/pom.xml
+++ b/flink-table/flink-table-calcite-bridge/pom.xml
@@ -152,9 +152,21 @@ under the License.
                                        
<groupId>org.locationtech.proj4j</groupId>
                                        <artifactId>proj4j</artifactId>
                                </exclusion>
+                               <!-- Exclude json-path as we are manually 
overriding it to a newer version -->
+                               <exclusion>
+                                       <groupId>com.jayway.jsonpath</groupId>
+                                       <artifactId>json-path</artifactId>
+                               </exclusion>
                        </exclusions>
                </dependency>
 
+               <!-- Override the json-path version used by Calcite 1.32 to 
deal with CVE-2023-1370 -->
+               <dependency>
+                       <groupId>com.jayway.jsonpath</groupId>
+                       <artifactId>json-path</artifactId>
+                       <version>${jsonpath.version}</version>
+               </dependency>
+
                <dependency>
                        <groupId>org.apache.flink</groupId>
                        <artifactId>flink-annotations</artifactId>
diff --git a/flink-table/flink-table-runtime/src/main/resources/META-INF/NOTICE 
b/flink-table/flink-table-runtime/src/main/resources/META-INF/NOTICE
index fcf5543f0c9..da9c33490be 100644
--- a/flink-table/flink-table-runtime/src/main/resources/META-INF/NOTICE
+++ b/flink-table/flink-table-runtime/src/main/resources/META-INF/NOTICE
@@ -6,6 +6,6 @@ The Apache Software Foundation (http://www.apache.org/).
 
 This project bundles the following dependencies under the Apache Software 
License 2.0. (http://www.apache.org/licenses/LICENSE-2.0.txt)
 
-- com.jayway.jsonpath:json-path:2.7.0
+- com.jayway.jsonpath:json-path:2.9.0
 - org.codehaus.janino:janino:3.1.10
 - org.codehaus.janino:commons-compiler:3.1.10
diff --git a/flink-table/pom.xml b/flink-table/pom.xml
index 2a16a878304..8d547c940c2 100644
--- a/flink-table/pom.xml
+++ b/flink-table/pom.xml
@@ -83,7 +83,7 @@ under the License.
                at the same time minimum 3.1.x Janino version passing Flink 
tests without WAs is 3.1.10,
                more details are in FLINK-27995 -->
                <janino.version>3.1.10</janino.version>
-               <jsonpath.version>2.7.0</jsonpath.version>
+               <jsonpath.version>2.9.0</jsonpath.version>
                <guava.version>32.1.3-jre</guava.version>
        </properties>
 </project>