This is an automated email from the ASF dual-hosted git repository.
jark pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/fluss.git
The following commit(s) were added to refs/heads/main by this push:
new d4a72fad2 [common] switch to at.yawk.lz4:lz4-java due to
CVE-2025-12183 (#2136)
d4a72fad2 is described below
commit d4a72fad240d4b81563aaf83fa3b09b5058674ed
Author: Pei Yu <[email protected]>
AuthorDate: Sun Dec 28 11:49:10 2025 +0800
[common] switch to at.yawk.lz4:lz4-java due to CVE-2025-12183 (#2136)
---
fluss-client/src/main/resources/META-INF/NOTICE | 4 ++--
fluss-common/pom.xml | 6 +++---
fluss-lake/fluss-lake-iceberg/src/main/resources/META-INF/NOTICE | 2 +-
fluss-server/src/main/resources/META-INF/NOTICE | 4 ++--
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/fluss-client/src/main/resources/META-INF/NOTICE
b/fluss-client/src/main/resources/META-INF/NOTICE
index fd48d55f4..7b09b01f4 100644
--- a/fluss-client/src/main/resources/META-INF/NOTICE
+++ b/fluss-client/src/main/resources/META-INF/NOTICE
@@ -10,7 +10,7 @@ This project bundles the following dependencies under the
Apache Software Licens
- com.ververica:frocksdbjni:6.20.3-ververica-2.0
- org.apache.commons:commons-lang3:3.18.0
- org.apache.commons:commons-math3:3.6.1
-- org.lz4:lz4-java:1.8.0
+- at.yawk.lz4:lz4-java:1.10.2
This project bundles the following dependencies under the MIT
(https://opensource.org/licenses/MIT)
See bundled license files for details.
@@ -20,4 +20,4 @@ See bundled license files for details.
This project bundles the following dependencies under BSD License
(https://opensource.org/licenses/bsd-license.php).
See bundled license files for details.
-- com.github.luben:zstd-jni:1.5.7-1
\ No newline at end of file
+- com.github.luben:zstd-jni:1.5.7-6
\ No newline at end of file
diff --git a/fluss-common/pom.xml b/fluss-common/pom.xml
index 7fdc2fe9c..c03a97091 100644
--- a/fluss-common/pom.xml
+++ b/fluss-common/pom.xml
@@ -64,15 +64,15 @@
<!-- TODO: these two dependencies need to be shaded. -->
<dependency>
- <groupId>org.lz4</groupId>
+ <groupId>at.yawk.lz4</groupId>
<artifactId>lz4-java</artifactId>
- <version>1.8.0</version>
+ <version>1.10.2</version>
</dependency>
<dependency>
<groupId>com.github.luben</groupId>
<artifactId>zstd-jni</artifactId>
- <version>1.5.7-1</version>
+ <version>1.5.7-6</version>
</dependency>
<!-- RocksDB dependencies -->
diff --git a/fluss-lake/fluss-lake-iceberg/src/main/resources/META-INF/NOTICE
b/fluss-lake/fluss-lake-iceberg/src/main/resources/META-INF/NOTICE
index 331e7324f..be0e6f53f 100644
--- a/fluss-lake/fluss-lake-iceberg/src/main/resources/META-INF/NOTICE
+++ b/fluss-lake/fluss-lake-iceberg/src/main/resources/META-INF/NOTICE
@@ -51,5 +51,5 @@ See bundled license files for details.
This project bundles the following dependencies under BSD License
(https://opensource.org/licenses/bsd-license.php).
See bundled license files for details.
-- com.github.luben:zstd-jni:1.5.7-1
+- com.github.luben:zstd-jni:1.5.7-6
- org.threeten:threeten-extra:1.7.1
diff --git a/fluss-server/src/main/resources/META-INF/NOTICE
b/fluss-server/src/main/resources/META-INF/NOTICE
index fb2b8a315..e0de7d5b4 100644
--- a/fluss-server/src/main/resources/META-INF/NOTICE
+++ b/fluss-server/src/main/resources/META-INF/NOTICE
@@ -13,7 +13,7 @@ This project bundles the following dependencies under the
Apache Software Licens
- commons-cli:commons-cli:1.5.0
- org.apache.commons:commons-lang3:3.18.0
- org.apache.commons:commons-math3:3.6.1
-- org.lz4:lz4-java:1.8.0
+- at.yawk.lz4:lz4-java:1.10.2
- org.xerial.snappy:snappy-java:1.1.10.4
This project bundles the following dependencies under the MIT
(https://opensource.org/licenses/MIT)
@@ -25,6 +25,6 @@ See bundled license files for details.
This project bundles the following dependencies under BSD License
(https://opensource.org/licenses/bsd-license.php).
See bundled license files for details.
-- com.github.luben:zstd-jni:1.5.7-1
+- com.github.luben:zstd-jni:1.5.7-6
