This is an automated email from the ASF dual-hosted git repository.
gyfora pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/flink-kubernetes-operator.git
The following commit(s) were added to refs/heads/main by this push:
new 13c867cc [FLINK-39713] Bump log4j, jackson, and Beam to retire CVEs
13c867cc is described below
commit 13c867cc9513f32dfc8b1edc118b98ea5dc0a552
Author: Purushottam Sinha <[email protected]>
AuthorDate: Wed Jun 3 20:15:33 2026 +0530
[FLINK-39713] Bump log4j, jackson, and Beam to retire CVEs
---
examples/flink-beam-example/pom.xml | 2 +-
.../src/main/resources/META-INF/NOTICE | 8 ++++----
.../src/main/resources/META-INF/NOTICE | 20 ++++++++++----------
pom.xml | 4 ++--
4 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/examples/flink-beam-example/pom.xml
b/examples/flink-beam-example/pom.xml
index b96475ce..5f2a5bb9 100644
--- a/examples/flink-beam-example/pom.xml
+++ b/examples/flink-beam-example/pom.xml
@@ -33,7 +33,7 @@ under the License.
<!-- Given that this is an example skip maven deployment -->
<properties>
<maven.deploy.skip>true</maven.deploy.skip>
- <beam.version>2.62.0</beam.version>
+ <beam.version>2.73.0</beam.version>
</properties>
<repositories>
diff --git a/flink-autoscaler-standalone/src/main/resources/META-INF/NOTICE
b/flink-autoscaler-standalone/src/main/resources/META-INF/NOTICE
index 8909eb80..41f0ea55 100644
--- a/flink-autoscaler-standalone/src/main/resources/META-INF/NOTICE
+++ b/flink-autoscaler-standalone/src/main/resources/META-INF/NOTICE
@@ -17,10 +17,10 @@ This project bundles the following dependencies under the
Apache Software Licens
- commons-io:commons-io:jar:2.15.1
- org.apache.commons:commons-lang3:jar:3.18.0
- org.apache.commons:commons-math3:jar:3.6.1
-- org.apache.logging.log4j:log4j-1.2-api:jar:2.23.1
-- org.apache.logging.log4j:log4j-api:jar:2.23.1
-- org.apache.logging.log4j:log4j-core:jar:2.23.1
-- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.23.1
+- org.apache.logging.log4j:log4j-1.2-api:jar:2.25.4
+- org.apache.logging.log4j:log4j-api:jar:2.25.4
+- org.apache.logging.log4j:log4j-core:jar:2.25.4
+- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.25.4
- org.javassist:javassist:jar:3.24.0-GA
- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.9.10
- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.8.21
diff --git a/flink-kubernetes-operator/src/main/resources/META-INF/NOTICE
b/flink-kubernetes-operator/src/main/resources/META-INF/NOTICE
index eb7c379d..fcaddf0f 100644
--- a/flink-kubernetes-operator/src/main/resources/META-INF/NOTICE
+++ b/flink-kubernetes-operator/src/main/resources/META-INF/NOTICE
@@ -6,11 +6,11 @@ The Apache Software Foundation (http://www.apache.org/).
This project bundles the following dependencies under the Apache Software
License 2.0 (http://www.apache.org/licenses/LICENSE-2.0.txt)
-- com.fasterxml.jackson.core:jackson-annotations:jar:2.15.0
-- com.fasterxml.jackson.core:jackson-core:jar:2.15.0
-- com.fasterxml.jackson.core:jackson-databind:jar:2.15.0
-- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.15.0
-- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.15.0
+- com.fasterxml.jackson.core:jackson-annotations:jar:2.21.3
+- com.fasterxml.jackson.core:jackson-core:jar:2.21.3
+- com.fasterxml.jackson.core:jackson-databind:jar:2.21.3
+- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.21.3
+- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.21.3
- com.google.code.findbugs:jsr305:jar:1.3.9
- com.google.errorprone:error_prone_annotations:jar:2.36.0
- com.google.guava:failureaccess:jar:1.0.2
@@ -59,10 +59,10 @@ This project bundles the following dependencies under the
Apache Software Licens
- org.apache.commons:commons-lang3:jar:3.18.0
- org.apache.commons:commons-math3:jar:3.6.1
- org.apache.commons:commons-text:jar:1.10.0
-- org.apache.logging.log4j:log4j-1.2-api:jar:2.23.1
-- org.apache.logging.log4j:log4j-api:jar:2.23.1
-- org.apache.logging.log4j:log4j-core:jar:2.23.1
-- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.23.1
+- org.apache.logging.log4j:log4j-1.2-api:jar:2.25.4
+- org.apache.logging.log4j:log4j-api:jar:2.25.4
+- org.apache.logging.log4j:log4j-core:jar:2.25.4
+- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.25.4
- org.checkerframework:checker-qual:jar:3.43.0
- org.javassist:javassist:jar:3.24.0-GA
- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.8.21
@@ -76,7 +76,7 @@ This project bundles the following dependencies under the
Apache Software Licens
- org.slf4j:slf4j-api:jar:1.7.36
- org.snakeyaml:snakeyaml-engine:jar:2.6
- org.xerial.snappy:snappy-java:jar:1.1.10.4
-- org.yaml:snakeyaml:jar:2.0
+- org.yaml:snakeyaml:jar:2.5
- tools.profiler:async-profiler:jar:2.9
- io.github.java-diff-utils:java-diff-utils:4.15
- io.fabric8:kubernetes-httpclient-jdk:7.3.0
diff --git a/pom.xml b/pom.xml
index 8c8a350c..49ec260b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -87,7 +87,7 @@ under the License.
<guava.version>33.4.0-jre</guava.version>
<slf4j.version>1.7.36</slf4j.version>
- <log4j.version>2.23.1</log4j.version>
+ <log4j.version>2.25.4</log4j.version>
<logback.version>1.2.13</logback.version>
<spotless.version>2.40.0</spotless.version>
@@ -126,7 +126,7 @@ under the License.
<artifactId>jackson-bom</artifactId>
<type>pom</type>
<scope>import</scope>
- <version>2.15.0</version>
+ <version>2.21.3</version>
</dependency>
<dependency>
<groupId>org.junit</groupId>
