(iceberg) branch main updated: Build: Fix transitive dependency CVEs across all distributions (#16290)

kevinjqliu Tue, 12 May 2026 09:45:55 -0700

This is an automated email from the ASF dual-hosted git repository.

kevinjqliu pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/iceberg.git



The following commit(s) were added to refs/heads/main by this push:
     new b986d73099 Build: Fix transitive dependency CVEs across all 
distributions (#16290)
b986d73099 is described below

commit b986d73099d2771f77dc56eb83119b512d0e47bf
Author: Kevin Liu <[email protected]>
AuthorDate: Tue May 12 12:45:42 2026 -0400

    Build: Fix transitive dependency CVEs across all distributions (#16290)
---
 aws-bundle/runtime-deps.txt                        | 112 ++++++++---------
 azure-bundle/runtime-deps.txt                      |  42 ++++---
 build.gradle                                       |   7 ++
 flink/v1.20/flink-runtime/runtime-deps.txt         |  10 +-
 flink/v2.0/flink-runtime/runtime-deps.txt          |  10 +-
 flink/v2.1/flink-runtime/runtime-deps.txt          |  10 +-
 gcp-bundle/runtime-deps.txt                        |   4 +-
 gradle/libs.versions.toml                          |   4 +-
 .../kafka-connect-runtime/runtime-deps.txt         | 132 +++++++++++----------
 spark/v3.4/spark-runtime/runtime-deps.txt          |  12 +-
 spark/v3.5/spark-runtime/runtime-deps.txt          |  12 +-
 spark/v4.0/spark-runtime/runtime-deps.txt          |  12 +-
 spark/v4.1/spark-runtime/runtime-deps.txt          |  12 +-
 13 files changed, 199 insertions(+), 180 deletions(-)

diff --git a/aws-bundle/runtime-deps.txt b/aws-bundle/runtime-deps.txt
index bc2117dd83..b0c8cb9460 100644
--- a/aws-bundle/runtime-deps.txt
+++ b/aws-bundle/runtime-deps.txt
@@ -2,65 +2,69 @@ com.github.ben-manes.caffeine:caffeine:2.9.3
 com.google.errorprone:error_prone_annotations:2.10.0
 commons-codec:commons-codec:1.17.1
 commons-logging:commons-logging:1.2
-io.netty:netty-buffer:4.1.132.Final
-io.netty:netty-codec-http2:4.1.132.Final
-io.netty:netty-codec-http:4.1.132.Final
-io.netty:netty-codec:4.1.132.Final
-io.netty:netty-common:4.1.132.Final
-io.netty:netty-handler:4.1.132.Final
-io.netty:netty-resolver:4.1.132.Final
-io.netty:netty-transport-classes-epoll:4.1.132.Final
-io.netty:netty-transport-native-unix-common:4.1.132.Final
-io.netty:netty-transport:4.1.132.Final
+io.netty:netty-buffer:4.2.13.Final
+io.netty:netty-codec-base:4.2.13.Final
+io.netty:netty-codec-compression:4.2.13.Final
+io.netty:netty-codec-http2:4.2.13.Final
+io.netty:netty-codec-http:4.2.13.Final
+io.netty:netty-codec-marshalling:4.2.13.Final
+io.netty:netty-codec-protobuf:4.2.13.Final
+io.netty:netty-codec:4.2.13.Final
+io.netty:netty-common:4.2.13.Final
+io.netty:netty-handler:4.2.13.Final
+io.netty:netty-resolver:4.2.13.Final
+io.netty:netty-transport-classes-epoll:4.2.13.Final
+io.netty:netty-transport-native-unix-common:4.2.13.Final
+io.netty:netty-transport:4.2.13.Final
 org.apache.httpcomponents:httpclient:4.5.13
 org.apache.httpcomponents:httpcore:4.4.16
 org.checkerframework:checker-qual:3.19.0
 org.reactivestreams:reactive-streams:1.0.4
 software.amazon.awssdk.crt:aws-crt:0.45.1
-software.amazon.awssdk:annotations:2.44.0
-software.amazon.awssdk:apache-client:2.44.0
-software.amazon.awssdk:arns:2.44.0
-software.amazon.awssdk:auth:2.44.0
-software.amazon.awssdk:aws-core:2.44.0
-software.amazon.awssdk:aws-json-protocol:2.44.0
-software.amazon.awssdk:aws-query-protocol:2.44.0
-software.amazon.awssdk:aws-xml-protocol:2.44.0
-software.amazon.awssdk:checksums-spi:2.44.0
-software.amazon.awssdk:checksums:2.44.0
-software.amazon.awssdk:cloudwatch-metric-publisher:2.44.0
-software.amazon.awssdk:cloudwatch:2.44.0
-software.amazon.awssdk:crt-core:2.44.0
-software.amazon.awssdk:dynamodb:2.44.0
-software.amazon.awssdk:endpoints-spi:2.44.0
-software.amazon.awssdk:glue:2.44.0
-software.amazon.awssdk:http-auth-aws-crt:2.44.0
-software.amazon.awssdk:http-auth-aws-eventstream:2.44.0
-software.amazon.awssdk:http-auth-aws:2.44.0
-software.amazon.awssdk:http-auth-spi:2.44.0
-software.amazon.awssdk:http-auth:2.44.0
-software.amazon.awssdk:http-client-spi:2.44.0
-software.amazon.awssdk:iam:2.44.0
-software.amazon.awssdk:identity-spi:2.44.0
-software.amazon.awssdk:json-utils:2.44.0
-software.amazon.awssdk:kms:2.44.0
-software.amazon.awssdk:lakeformation:2.44.0
-software.amazon.awssdk:metrics-spi:2.44.0
-software.amazon.awssdk:netty-nio-client:2.44.0
-software.amazon.awssdk:profiles:2.44.0
-software.amazon.awssdk:protocol-core:2.44.0
-software.amazon.awssdk:regions:2.44.0
-software.amazon.awssdk:retries-spi:2.44.0
-software.amazon.awssdk:retries:2.44.0
-software.amazon.awssdk:s3:2.44.0
-software.amazon.awssdk:s3control:2.44.0
-software.amazon.awssdk:sdk-core:2.44.0
-software.amazon.awssdk:smithy-rpcv2-protocol:2.44.0
-software.amazon.awssdk:sso:2.44.0
-software.amazon.awssdk:sts:2.44.0
-software.amazon.awssdk:third-party-jackson-core:2.44.0
-software.amazon.awssdk:third-party-jackson-dataformat-cbor:2.44.0
-software.amazon.awssdk:utils-lite:2.44.0
-software.amazon.awssdk:utils:2.44.0
+software.amazon.awssdk:annotations:2.44.4
+software.amazon.awssdk:apache-client:2.44.4
+software.amazon.awssdk:arns:2.44.4
+software.amazon.awssdk:auth:2.44.4
+software.amazon.awssdk:aws-core:2.44.4
+software.amazon.awssdk:aws-json-protocol:2.44.4
+software.amazon.awssdk:aws-query-protocol:2.44.4
+software.amazon.awssdk:aws-xml-protocol:2.44.4
+software.amazon.awssdk:checksums-spi:2.44.4
+software.amazon.awssdk:checksums:2.44.4
+software.amazon.awssdk:cloudwatch-metric-publisher:2.44.4
+software.amazon.awssdk:cloudwatch:2.44.4
+software.amazon.awssdk:crt-core:2.44.4
+software.amazon.awssdk:dynamodb:2.44.4
+software.amazon.awssdk:endpoints-spi:2.44.4
+software.amazon.awssdk:glue:2.44.4
+software.amazon.awssdk:http-auth-aws-crt:2.44.4
+software.amazon.awssdk:http-auth-aws-eventstream:2.44.4
+software.amazon.awssdk:http-auth-aws:2.44.4
+software.amazon.awssdk:http-auth-spi:2.44.4
+software.amazon.awssdk:http-auth:2.44.4
+software.amazon.awssdk:http-client-spi:2.44.4
+software.amazon.awssdk:iam:2.44.4
+software.amazon.awssdk:identity-spi:2.44.4
+software.amazon.awssdk:json-utils:2.44.4
+software.amazon.awssdk:kms:2.44.4
+software.amazon.awssdk:lakeformation:2.44.4
+software.amazon.awssdk:metrics-spi:2.44.4
+software.amazon.awssdk:netty-nio-client:2.44.4
+software.amazon.awssdk:profiles:2.44.4
+software.amazon.awssdk:protocol-core:2.44.4
+software.amazon.awssdk:regions:2.44.4
+software.amazon.awssdk:retries-spi:2.44.4
+software.amazon.awssdk:retries:2.44.4
+software.amazon.awssdk:s3:2.44.4
+software.amazon.awssdk:s3control:2.44.4
+software.amazon.awssdk:sdk-core:2.44.4
+software.amazon.awssdk:smithy-rpcv2-protocol:2.44.4
+software.amazon.awssdk:sso:2.44.4
+software.amazon.awssdk:sts:2.44.4
+software.amazon.awssdk:third-party-jackson-core:2.44.4
+software.amazon.awssdk:third-party-jackson-dataformat-cbor:2.44.4
+software.amazon.awssdk:utils-lite:2.44.4
+software.amazon.awssdk:utils:2.44.4
 software.amazon.eventstream:eventstream:1.0.1
 software.amazon.s3.accessgrants:aws-s3-accessgrants-java-plugin:2.4.1
 software.amazon.s3.analyticsaccelerator:analyticsaccelerator-s3:1.3.1
diff --git a/azure-bundle/runtime-deps.txt b/azure-bundle/runtime-deps.txt
index 2e5198f498..9cf83d5bf8 100644
--- a/azure-bundle/runtime-deps.txt
+++ b/azure-bundle/runtime-deps.txt
@@ -14,27 +14,31 @@ com.fasterxml.jackson.core:jackson-databind:2.18.4
 com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.18.4
 com.microsoft.azure:msal4j-persistence-extension:1.3.0
 com.microsoft.azure:msal4j:1.23.1
-io.netty:netty-buffer:4.1.130.Final
-io.netty:netty-codec-dns:4.1.128.Final
-io.netty:netty-codec-http2:4.1.130.Final
-io.netty:netty-codec-http:4.1.130.Final
-io.netty:netty-codec-socks:4.1.130.Final
-io.netty:netty-codec:4.1.130.Final
-io.netty:netty-common:4.1.130.Final
-io.netty:netty-handler-proxy:4.1.130.Final
-io.netty:netty-handler:4.1.130.Final
-io.netty:netty-resolver-dns-classes-macos:4.1.128.Final
-io.netty:netty-resolver-dns-native-macos:4.1.128.Final
-io.netty:netty-resolver-dns:4.1.128.Final
-io.netty:netty-resolver:4.1.130.Final
+io.netty:netty-buffer:4.2.13.Final
+io.netty:netty-codec-base:4.2.13.Final
+io.netty:netty-codec-compression:4.2.13.Final
+io.netty:netty-codec-dns:4.2.13.Final
+io.netty:netty-codec-http2:4.2.13.Final
+io.netty:netty-codec-http:4.2.13.Final
+io.netty:netty-codec-marshalling:4.2.13.Final
+io.netty:netty-codec-protobuf:4.2.13.Final
+io.netty:netty-codec-socks:4.2.13.Final
+io.netty:netty-codec:4.2.13.Final
+io.netty:netty-common:4.2.13.Final
+io.netty:netty-handler-proxy:4.2.13.Final
+io.netty:netty-handler:4.2.13.Final
+io.netty:netty-resolver-dns-classes-macos:4.2.13.Final
+io.netty:netty-resolver-dns-native-macos:4.2.13.Final
+io.netty:netty-resolver-dns:4.2.13.Final
+io.netty:netty-resolver:4.2.13.Final
 io.netty:netty-tcnative-boringssl-static:2.0.74.Final
 io.netty:netty-tcnative-classes:2.0.74.Final
-io.netty:netty-transport-classes-epoll:4.1.130.Final
-io.netty:netty-transport-classes-kqueue:4.1.130.Final
-io.netty:netty-transport-native-epoll:4.1.130.Final
-io.netty:netty-transport-native-kqueue:4.1.130.Final
-io.netty:netty-transport-native-unix-common:4.1.130.Final
-io.netty:netty-transport:4.1.130.Final
+io.netty:netty-transport-classes-epoll:4.2.13.Final
+io.netty:netty-transport-classes-kqueue:4.2.13.Final
+io.netty:netty-transport-native-epoll:4.2.13.Final
+io.netty:netty-transport-native-kqueue:4.2.13.Final
+io.netty:netty-transport-native-unix-common:4.2.13.Final
+io.netty:netty-transport:4.2.13.Final
 io.projectreactor.netty:reactor-netty-core:1.2.13
 io.projectreactor.netty:reactor-netty-http:1.2.13
 io.projectreactor:reactor-core:3.7.14
diff --git a/build.gradle b/build.gradle
index 048de63ae7..249e5ba91d 100644
--- a/build.gradle
+++ b/build.gradle
@@ -206,6 +206,13 @@ subprojects {
         dependencySubstitution {
           substitute module("org.lz4:lz4-java") using 
module(libs.lz4Java.get().toString()) because("Enforce lz4-java that contains 
CVE-2025-12183 and CVE-2025-66566 fixes")
           substitute module("io.airlift:aircompressor") using 
module(libs.aircompressor.get().toString()) because("Enforce aircompressor that 
contains CVE-2025-67721 fix")
+          substitute module("org.bouncycastle:bcprov-jdk18on") using 
module(libs.bouncycastle.bcprov.get().toString()) because("Enforce BouncyCastle 
that contains CVE-2026-5598 fix")
+        }
+        eachDependency { details ->
+          if (details.requested.group == 'io.netty' && 
details.requested.version?.startsWith('4.1.')) {
+            details.useVersion(libs.versions.netty.buffer.get())
+            details.because("Fix Netty 4.1.x CVEs (CVE-2026-42577, 
CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587)")
+          }
         }
       }
     }
diff --git a/flink/v1.20/flink-runtime/runtime-deps.txt 
b/flink/v1.20/flink-runtime/runtime-deps.txt
index 00c53ed388..431cbe0d11 100644
--- a/flink/v1.20/flink-runtime/runtime-deps.txt
+++ b/flink/v1.20/flink-runtime/runtime-deps.txt
@@ -1,6 +1,6 @@
 com.fasterxml.jackson.core:jackson-annotations:2.21
-com.fasterxml.jackson.core:jackson-core:2.21.2
-com.fasterxml.jackson.core:jackson-databind:2.21.2
+com.fasterxml.jackson.core:jackson-core:2.21.3
+com.fasterxml.jackson.core:jackson-databind:2.21.3
 com.github.ben-manes.caffeine:caffeine:2.9.3
 com.github.luben:zstd-jni:1.5.7-3
 com.google.errorprone:error_prone_annotations:2.10.0
@@ -9,7 +9,7 @@ io.airlift:aircompressor:2.0.3
 org.apache.avro:avro:1.12.1
 org.apache.datasketches:datasketches-java:6.2.0
 org.apache.datasketches:datasketches-memory:3.0.2
-org.apache.httpcomponents.client5:httpclient5:5.6
+org.apache.httpcomponents.client5:httpclient5:5.6.1
 org.apache.httpcomponents.core5:httpcore5-h2:5.4
 org.apache.httpcomponents.core5:httpcore5:5.4
 org.apache.orc:orc-core:1.9.8
@@ -25,7 +25,7 @@ org.apache.parquet:parquet-variant:1.17.0
 org.checkerframework:checker-qual:3.19.0
 org.eclipse.microprofile.openapi:microprofile-openapi-api:4.1.1
 org.locationtech.jts:jts-core:1.20.0
-org.projectnessie.nessie:nessie-client:0.107.4
-org.projectnessie.nessie:nessie-model:0.107.4
+org.projectnessie.nessie:nessie-client:0.107.5
+org.projectnessie.nessie:nessie-model:0.107.5
 org.roaringbitmap:RoaringBitmap:1.6.14
 org.threeten:threeten-extra:1.7.1
diff --git a/flink/v2.0/flink-runtime/runtime-deps.txt 
b/flink/v2.0/flink-runtime/runtime-deps.txt
index 00c53ed388..431cbe0d11 100644
--- a/flink/v2.0/flink-runtime/runtime-deps.txt
+++ b/flink/v2.0/flink-runtime/runtime-deps.txt
@@ -1,6 +1,6 @@
 com.fasterxml.jackson.core:jackson-annotations:2.21
-com.fasterxml.jackson.core:jackson-core:2.21.2
-com.fasterxml.jackson.core:jackson-databind:2.21.2
+com.fasterxml.jackson.core:jackson-core:2.21.3
+com.fasterxml.jackson.core:jackson-databind:2.21.3
 com.github.ben-manes.caffeine:caffeine:2.9.3
 com.github.luben:zstd-jni:1.5.7-3
 com.google.errorprone:error_prone_annotations:2.10.0
@@ -9,7 +9,7 @@ io.airlift:aircompressor:2.0.3
 org.apache.avro:avro:1.12.1
 org.apache.datasketches:datasketches-java:6.2.0
 org.apache.datasketches:datasketches-memory:3.0.2
-org.apache.httpcomponents.client5:httpclient5:5.6
+org.apache.httpcomponents.client5:httpclient5:5.6.1
 org.apache.httpcomponents.core5:httpcore5-h2:5.4
 org.apache.httpcomponents.core5:httpcore5:5.4
 org.apache.orc:orc-core:1.9.8
@@ -25,7 +25,7 @@ org.apache.parquet:parquet-variant:1.17.0
 org.checkerframework:checker-qual:3.19.0
 org.eclipse.microprofile.openapi:microprofile-openapi-api:4.1.1
 org.locationtech.jts:jts-core:1.20.0
-org.projectnessie.nessie:nessie-client:0.107.4
-org.projectnessie.nessie:nessie-model:0.107.4
+org.projectnessie.nessie:nessie-client:0.107.5
+org.projectnessie.nessie:nessie-model:0.107.5
 org.roaringbitmap:RoaringBitmap:1.6.14
 org.threeten:threeten-extra:1.7.1
diff --git a/flink/v2.1/flink-runtime/runtime-deps.txt 
b/flink/v2.1/flink-runtime/runtime-deps.txt
index 00c53ed388..431cbe0d11 100644
--- a/flink/v2.1/flink-runtime/runtime-deps.txt
+++ b/flink/v2.1/flink-runtime/runtime-deps.txt
@@ -1,6 +1,6 @@
 com.fasterxml.jackson.core:jackson-annotations:2.21
-com.fasterxml.jackson.core:jackson-core:2.21.2
-com.fasterxml.jackson.core:jackson-databind:2.21.2
+com.fasterxml.jackson.core:jackson-core:2.21.3
+com.fasterxml.jackson.core:jackson-databind:2.21.3
 com.github.ben-manes.caffeine:caffeine:2.9.3
 com.github.luben:zstd-jni:1.5.7-3
 com.google.errorprone:error_prone_annotations:2.10.0
@@ -9,7 +9,7 @@ io.airlift:aircompressor:2.0.3
 org.apache.avro:avro:1.12.1
 org.apache.datasketches:datasketches-java:6.2.0
 org.apache.datasketches:datasketches-memory:3.0.2
-org.apache.httpcomponents.client5:httpclient5:5.6
+org.apache.httpcomponents.client5:httpclient5:5.6.1
 org.apache.httpcomponents.core5:httpcore5-h2:5.4
 org.apache.httpcomponents.core5:httpcore5:5.4
 org.apache.orc:orc-core:1.9.8
@@ -25,7 +25,7 @@ org.apache.parquet:parquet-variant:1.17.0
 org.checkerframework:checker-qual:3.19.0
 org.eclipse.microprofile.openapi:microprofile-openapi-api:4.1.1
 org.locationtech.jts:jts-core:1.20.0
-org.projectnessie.nessie:nessie-client:0.107.4
-org.projectnessie.nessie:nessie-model:0.107.4
+org.projectnessie.nessie:nessie-client:0.107.5
+org.projectnessie.nessie:nessie-model:0.107.5
 org.roaringbitmap:RoaringBitmap:1.6.14
 org.threeten:threeten-extra:1.7.1
diff --git a/gcp-bundle/runtime-deps.txt b/gcp-bundle/runtime-deps.txt
index a109d4fb56..cb95135c07 100644
--- a/gcp-bundle/runtime-deps.txt
+++ b/gcp-bundle/runtime-deps.txt
@@ -77,8 +77,8 @@ io.grpc:grpc-services:1.80.0
 io.grpc:grpc-stub:1.80.0
 io.grpc:grpc-util:1.80.0
 io.grpc:grpc-xds:1.80.0
-io.netty:netty-buffer:4.1.110.Final
-io.netty:netty-common:4.1.110.Final
+io.netty:netty-buffer:4.2.13.Final
+io.netty:netty-common:4.2.13.Final
 io.opencensus:opencensus-api:0.31.1
 io.opencensus:opencensus-contrib-http-util:0.31.1
 io.opentelemetry.contrib:opentelemetry-gcp-resources:1.37.0-alpha
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 3ec24e847f..d96a470943 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -33,7 +33,7 @@ arrow = "15.0.2"
 avro = "1.12.1"
 assertj-core = "3.27.7"
 awaitility = "4.3.0"
-awssdk-bom = "2.44.0"
+awssdk-bom = "2.44.4"
 azuresdk-bom = "1.3.6"
 awssdk-s3accessgrants = "2.4.1"
 bouncycastle = "1.84"
@@ -78,7 +78,7 @@ microprofile-openapi-api = "3.1.2"
 mockito = "4.11.0"
 mockserver = "5.15.0"
 nessie = "0.107.5"
-netty-buffer = "4.2.12.Final"
+netty-buffer = "4.2.13.Final"
 object-client-bundle = "3.3.2"
 orc = "1.9.8"
 parquet = "1.17.0"
diff --git a/kafka-connect/kafka-connect-runtime/runtime-deps.txt 
b/kafka-connect/kafka-connect-runtime/runtime-deps.txt
index 5457dc7ab9..259de75aaf 100644
--- a/kafka-connect/kafka-connect-runtime/runtime-deps.txt
+++ b/kafka-connect/kafka-connect-runtime/runtime-deps.txt
@@ -8,10 +8,10 @@ com.azure:azure-storage-file-datalake:12.26.3
 com.azure:azure-storage-internal-avro:12.18.2
 com.azure:azure-xml:1.2.1
 com.fasterxml.jackson.core:jackson-annotations:2.21
-com.fasterxml.jackson.core:jackson-core:2.21.2
-com.fasterxml.jackson.core:jackson-databind:2.21.2
-com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.21.2
-com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.21.2
+com.fasterxml.jackson.core:jackson-core:2.21.3
+com.fasterxml.jackson.core:jackson-databind:2.21.3
+com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.21.3
+com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.21.3
 com.fasterxml.woodstox:woodstox-core:6.7.0
 com.github.ben-manes.caffeine:caffeine:2.9.3
 com.github.luben:zstd-jni:1.5.7-3
@@ -99,27 +99,31 @@ io.grpc:grpc-services:1.80.0
 io.grpc:grpc-stub:1.80.0
 io.grpc:grpc-util:1.80.0
 io.grpc:grpc-xds:1.80.0
-io.netty:netty-buffer:4.1.132.Final
-io.netty:netty-codec-dns:4.1.128.Final
-io.netty:netty-codec-http2:4.1.132.Final
-io.netty:netty-codec-http:4.1.132.Final
-io.netty:netty-codec-socks:4.1.130.Final
-io.netty:netty-codec:4.1.132.Final
-io.netty:netty-common:4.1.132.Final
-io.netty:netty-handler-proxy:4.1.130.Final
-io.netty:netty-handler:4.1.132.Final
-io.netty:netty-resolver-dns-classes-macos:4.1.128.Final
-io.netty:netty-resolver-dns-native-macos:4.1.128.Final
-io.netty:netty-resolver-dns:4.1.128.Final
-io.netty:netty-resolver:4.1.132.Final
+io.netty:netty-buffer:4.2.13.Final
+io.netty:netty-codec-base:4.2.13.Final
+io.netty:netty-codec-compression:4.2.13.Final
+io.netty:netty-codec-dns:4.2.13.Final
+io.netty:netty-codec-http2:4.2.13.Final
+io.netty:netty-codec-http:4.2.13.Final
+io.netty:netty-codec-marshalling:4.2.13.Final
+io.netty:netty-codec-protobuf:4.2.13.Final
+io.netty:netty-codec-socks:4.2.13.Final
+io.netty:netty-codec:4.2.13.Final
+io.netty:netty-common:4.2.13.Final
+io.netty:netty-handler-proxy:4.2.13.Final
+io.netty:netty-handler:4.2.13.Final
+io.netty:netty-resolver-dns-classes-macos:4.2.13.Final
+io.netty:netty-resolver-dns-native-macos:4.2.13.Final
+io.netty:netty-resolver-dns:4.2.13.Final
+io.netty:netty-resolver:4.2.13.Final
 io.netty:netty-tcnative-boringssl-static:2.0.74.Final
 io.netty:netty-tcnative-classes:2.0.74.Final
-io.netty:netty-transport-classes-epoll:4.1.132.Final
-io.netty:netty-transport-classes-kqueue:4.1.130.Final
-io.netty:netty-transport-native-epoll:4.1.130.Final
-io.netty:netty-transport-native-kqueue:4.1.130.Final
-io.netty:netty-transport-native-unix-common:4.1.132.Final
-io.netty:netty-transport:4.1.132.Final
+io.netty:netty-transport-classes-epoll:4.2.13.Final
+io.netty:netty-transport-classes-kqueue:4.2.13.Final
+io.netty:netty-transport-native-epoll:4.2.13.Final
+io.netty:netty-transport-native-kqueue:4.2.13.Final
+io.netty:netty-transport-native-unix-common:4.2.13.Final
+io.netty:netty-transport:4.2.13.Final
 io.opencensus:opencensus-api:0.31.1
 io.opencensus:opencensus-contrib-http-util:0.31.1
 io.opentelemetry.contrib:opentelemetry-gcp-resources:1.37.0-alpha
@@ -159,7 +163,7 @@ org.apache.hadoop.thirdparty:hadoop-shaded-guava:1.5.0
 org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_25:1.5.0
 org.apache.hadoop:hadoop-annotations:3.4.3
 org.apache.hadoop:hadoop-common:3.4.3
-org.apache.httpcomponents.client5:httpclient5:5.6
+org.apache.httpcomponents.client5:httpclient5:5.6.1
 org.apache.httpcomponents.core5:httpcore5-h2:5.4
 org.apache.httpcomponents.core5:httpcore5:5.4
 org.apache.httpcomponents:httpclient:4.5.14
@@ -174,7 +178,7 @@ org.apache.parquet:parquet-format-structures:1.17.0
 org.apache.parquet:parquet-hadoop:1.17.0
 org.apache.parquet:parquet-jackson:1.17.0
 org.apache.parquet:parquet-variant:1.17.0
-org.bouncycastle:bcprov-jdk18on:1.82
+org.bouncycastle:bcprov-jdk18on:1.84
 org.checkerframework:checker-compat-qual:2.5.6
 org.checkerframework:checker-qual:3.49.0
 org.codehaus.jettison:jettison:1.5.5
@@ -191,43 +195,43 @@ org.threeten:threeten-extra:1.8.0
 org.threeten:threetenbp:1.7.0
 org.xerial.snappy:snappy-java:1.1.10.8
 software.amazon.awssdk.crt:aws-crt:0.45.1
-software.amazon.awssdk:annotations:2.44.0
-software.amazon.awssdk:apache-client:2.44.0
-software.amazon.awssdk:arns:2.44.0
-software.amazon.awssdk:auth:2.44.0
-software.amazon.awssdk:aws-core:2.44.0
-software.amazon.awssdk:aws-json-protocol:2.44.0
-software.amazon.awssdk:aws-query-protocol:2.44.0
-software.amazon.awssdk:aws-xml-protocol:2.44.0
-software.amazon.awssdk:checksums-spi:2.44.0
-software.amazon.awssdk:checksums:2.44.0
-software.amazon.awssdk:crt-core:2.44.0
-software.amazon.awssdk:dynamodb:2.44.0
-software.amazon.awssdk:endpoints-spi:2.44.0
-software.amazon.awssdk:glue:2.44.0
-software.amazon.awssdk:http-auth-aws-crt:2.44.0
-software.amazon.awssdk:http-auth-aws-eventstream:2.44.0
-software.amazon.awssdk:http-auth-aws:2.44.0
-software.amazon.awssdk:http-auth-spi:2.44.0
-software.amazon.awssdk:http-auth:2.44.0
-software.amazon.awssdk:http-client-spi:2.44.0
-software.amazon.awssdk:iam:2.44.0
-software.amazon.awssdk:identity-spi:2.44.0
-software.amazon.awssdk:json-utils:2.44.0
-software.amazon.awssdk:kms:2.44.0
-software.amazon.awssdk:lakeformation:2.44.0
-software.amazon.awssdk:metrics-spi:2.44.0
-software.amazon.awssdk:netty-nio-client:2.44.0
-software.amazon.awssdk:profiles:2.44.0
-software.amazon.awssdk:protocol-core:2.44.0
-software.amazon.awssdk:regions:2.44.0
-software.amazon.awssdk:retries-spi:2.44.0
-software.amazon.awssdk:retries:2.44.0
-software.amazon.awssdk:s3:2.44.0
-software.amazon.awssdk:sdk-core:2.44.0
-software.amazon.awssdk:sso:2.44.0
-software.amazon.awssdk:sts:2.44.0
-software.amazon.awssdk:third-party-jackson-core:2.44.0
-software.amazon.awssdk:utils-lite:2.44.0
-software.amazon.awssdk:utils:2.44.0
+software.amazon.awssdk:annotations:2.44.4
+software.amazon.awssdk:apache-client:2.44.4
+software.amazon.awssdk:arns:2.44.4
+software.amazon.awssdk:auth:2.44.4
+software.amazon.awssdk:aws-core:2.44.4
+software.amazon.awssdk:aws-json-protocol:2.44.4
+software.amazon.awssdk:aws-query-protocol:2.44.4
+software.amazon.awssdk:aws-xml-protocol:2.44.4
+software.amazon.awssdk:checksums-spi:2.44.4
+software.amazon.awssdk:checksums:2.44.4
+software.amazon.awssdk:crt-core:2.44.4
+software.amazon.awssdk:dynamodb:2.44.4
+software.amazon.awssdk:endpoints-spi:2.44.4
+software.amazon.awssdk:glue:2.44.4
+software.amazon.awssdk:http-auth-aws-crt:2.44.4
+software.amazon.awssdk:http-auth-aws-eventstream:2.44.4
+software.amazon.awssdk:http-auth-aws:2.44.4
+software.amazon.awssdk:http-auth-spi:2.44.4
+software.amazon.awssdk:http-auth:2.44.4
+software.amazon.awssdk:http-client-spi:2.44.4
+software.amazon.awssdk:iam:2.44.4
+software.amazon.awssdk:identity-spi:2.44.4
+software.amazon.awssdk:json-utils:2.44.4
+software.amazon.awssdk:kms:2.44.4
+software.amazon.awssdk:lakeformation:2.44.4
+software.amazon.awssdk:metrics-spi:2.44.4
+software.amazon.awssdk:netty-nio-client:2.44.4
+software.amazon.awssdk:profiles:2.44.4
+software.amazon.awssdk:protocol-core:2.44.4
+software.amazon.awssdk:regions:2.44.4
+software.amazon.awssdk:retries-spi:2.44.4
+software.amazon.awssdk:retries:2.44.4
+software.amazon.awssdk:s3:2.44.4
+software.amazon.awssdk:sdk-core:2.44.4
+software.amazon.awssdk:sso:2.44.4
+software.amazon.awssdk:sts:2.44.4
+software.amazon.awssdk:third-party-jackson-core:2.44.4
+software.amazon.awssdk:utils-lite:2.44.4
+software.amazon.awssdk:utils:2.44.4
 software.amazon.eventstream:eventstream:1.0.1
diff --git a/spark/v3.4/spark-runtime/runtime-deps.txt 
b/spark/v3.4/spark-runtime/runtime-deps.txt
index fa0b58c856..858171371e 100644
--- a/spark/v3.4/spark-runtime/runtime-deps.txt
+++ b/spark/v3.4/spark-runtime/runtime-deps.txt
@@ -1,14 +1,14 @@
 com.fasterxml.jackson.core:jackson-annotations:2.21
 com.fasterxml.jackson.core:jackson-core:2.14.2
 com.fasterxml.jackson.core:jackson-databind:2.14.2
-com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.21.2
+com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.21.3
 com.github.ben-manes.caffeine:caffeine:2.9.3
 com.google.errorprone:error_prone_annotations:2.10.0
 com.google.flatbuffers:flatbuffers-java:23.5.26
 dev.failsafe:failsafe:3.3.2
 io.airlift:aircompressor:2.0.3
-io.netty:netty-buffer:4.2.12.Final
-io.netty:netty-common:4.2.12.Final
+io.netty:netty-buffer:4.2.13.Final
+io.netty:netty-common:4.2.13.Final
 org.apache.arrow:arrow-format:15.0.2
 org.apache.arrow:arrow-memory-core:15.0.2
 org.apache.arrow:arrow-memory-netty:15.0.2
@@ -16,7 +16,7 @@ org.apache.arrow:arrow-vector:15.0.2
 org.apache.avro:avro:1.12.1
 org.apache.datasketches:datasketches-java:6.2.0
 org.apache.datasketches:datasketches-memory:3.0.2
-org.apache.httpcomponents.client5:httpclient5:5.6
+org.apache.httpcomponents.client5:httpclient5:5.6.1
 org.apache.httpcomponents.core5:httpcore5-h2:5.4
 org.apache.httpcomponents.core5:httpcore5:5.4
 org.apache.orc:orc-core:1.9.8
@@ -34,7 +34,7 @@ org.eclipse.collections:eclipse-collections-api:11.1.0
 org.eclipse.collections:eclipse-collections:11.1.0
 org.eclipse.microprofile.openapi:microprofile-openapi-api:4.1.1
 org.locationtech.jts:jts-core:1.20.0
-org.projectnessie.nessie:nessie-client:0.107.4
-org.projectnessie.nessie:nessie-model:0.107.4
+org.projectnessie.nessie:nessie-client:0.107.5
+org.projectnessie.nessie:nessie-model:0.107.5
 org.roaringbitmap:RoaringBitmap:1.6.14
 org.threeten:threeten-extra:1.7.1
diff --git a/spark/v3.5/spark-runtime/runtime-deps.txt 
b/spark/v3.5/spark-runtime/runtime-deps.txt
index 9a087517cb..dc3fbeb7e9 100644
--- a/spark/v3.5/spark-runtime/runtime-deps.txt
+++ b/spark/v3.5/spark-runtime/runtime-deps.txt
@@ -1,14 +1,14 @@
 com.fasterxml.jackson.core:jackson-annotations:2.21
 com.fasterxml.jackson.core:jackson-core:2.15.2
 com.fasterxml.jackson.core:jackson-databind:2.15.2
-com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.21.2
+com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.21.3
 com.github.ben-manes.caffeine:caffeine:2.9.3
 com.google.errorprone:error_prone_annotations:2.10.0
 com.google.flatbuffers:flatbuffers-java:23.5.26
 dev.failsafe:failsafe:3.3.2
 io.airlift:aircompressor:2.0.3
-io.netty:netty-buffer:4.2.12.Final
-io.netty:netty-common:4.2.12.Final
+io.netty:netty-buffer:4.2.13.Final
+io.netty:netty-common:4.2.13.Final
 org.apache.arrow:arrow-format:15.0.2
 org.apache.arrow:arrow-memory-core:15.0.2
 org.apache.arrow:arrow-memory-netty:15.0.2
@@ -16,7 +16,7 @@ org.apache.arrow:arrow-vector:15.0.2
 org.apache.avro:avro:1.12.1
 org.apache.datasketches:datasketches-java:6.2.0
 org.apache.datasketches:datasketches-memory:3.0.2
-org.apache.httpcomponents.client5:httpclient5:5.6
+org.apache.httpcomponents.client5:httpclient5:5.6.1
 org.apache.httpcomponents.core5:httpcore5-h2:5.4
 org.apache.httpcomponents.core5:httpcore5:5.4
 org.apache.orc:orc-core:1.9.8
@@ -34,7 +34,7 @@ org.eclipse.collections:eclipse-collections-api:11.1.0
 org.eclipse.collections:eclipse-collections:11.1.0
 org.eclipse.microprofile.openapi:microprofile-openapi-api:4.1.1
 org.locationtech.jts:jts-core:1.20.0
-org.projectnessie.nessie:nessie-client:0.107.4
-org.projectnessie.nessie:nessie-model:0.107.4
+org.projectnessie.nessie:nessie-client:0.107.5
+org.projectnessie.nessie:nessie-model:0.107.5
 org.roaringbitmap:RoaringBitmap:1.6.14
 org.threeten:threeten-extra:1.7.1
diff --git a/spark/v4.0/spark-runtime/runtime-deps.txt 
b/spark/v4.0/spark-runtime/runtime-deps.txt
index 9a087517cb..dc3fbeb7e9 100644
--- a/spark/v4.0/spark-runtime/runtime-deps.txt
+++ b/spark/v4.0/spark-runtime/runtime-deps.txt
@@ -1,14 +1,14 @@
 com.fasterxml.jackson.core:jackson-annotations:2.21
 com.fasterxml.jackson.core:jackson-core:2.15.2
 com.fasterxml.jackson.core:jackson-databind:2.15.2
-com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.21.2
+com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.21.3
 com.github.ben-manes.caffeine:caffeine:2.9.3
 com.google.errorprone:error_prone_annotations:2.10.0
 com.google.flatbuffers:flatbuffers-java:23.5.26
 dev.failsafe:failsafe:3.3.2
 io.airlift:aircompressor:2.0.3
-io.netty:netty-buffer:4.2.12.Final
-io.netty:netty-common:4.2.12.Final
+io.netty:netty-buffer:4.2.13.Final
+io.netty:netty-common:4.2.13.Final
 org.apache.arrow:arrow-format:15.0.2
 org.apache.arrow:arrow-memory-core:15.0.2
 org.apache.arrow:arrow-memory-netty:15.0.2
@@ -16,7 +16,7 @@ org.apache.arrow:arrow-vector:15.0.2
 org.apache.avro:avro:1.12.1
 org.apache.datasketches:datasketches-java:6.2.0
 org.apache.datasketches:datasketches-memory:3.0.2
-org.apache.httpcomponents.client5:httpclient5:5.6
+org.apache.httpcomponents.client5:httpclient5:5.6.1
 org.apache.httpcomponents.core5:httpcore5-h2:5.4
 org.apache.httpcomponents.core5:httpcore5:5.4
 org.apache.orc:orc-core:1.9.8
@@ -34,7 +34,7 @@ org.eclipse.collections:eclipse-collections-api:11.1.0
 org.eclipse.collections:eclipse-collections:11.1.0
 org.eclipse.microprofile.openapi:microprofile-openapi-api:4.1.1
 org.locationtech.jts:jts-core:1.20.0
-org.projectnessie.nessie:nessie-client:0.107.4
-org.projectnessie.nessie:nessie-model:0.107.4
+org.projectnessie.nessie:nessie-client:0.107.5
+org.projectnessie.nessie:nessie-model:0.107.5
 org.roaringbitmap:RoaringBitmap:1.6.14
 org.threeten:threeten-extra:1.7.1
diff --git a/spark/v4.1/spark-runtime/runtime-deps.txt 
b/spark/v4.1/spark-runtime/runtime-deps.txt
index 9a087517cb..dc3fbeb7e9 100644
--- a/spark/v4.1/spark-runtime/runtime-deps.txt
+++ b/spark/v4.1/spark-runtime/runtime-deps.txt
@@ -1,14 +1,14 @@
 com.fasterxml.jackson.core:jackson-annotations:2.21
 com.fasterxml.jackson.core:jackson-core:2.15.2
 com.fasterxml.jackson.core:jackson-databind:2.15.2
-com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.21.2
+com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.21.3
 com.github.ben-manes.caffeine:caffeine:2.9.3
 com.google.errorprone:error_prone_annotations:2.10.0
 com.google.flatbuffers:flatbuffers-java:23.5.26
 dev.failsafe:failsafe:3.3.2
 io.airlift:aircompressor:2.0.3
-io.netty:netty-buffer:4.2.12.Final
-io.netty:netty-common:4.2.12.Final
+io.netty:netty-buffer:4.2.13.Final
+io.netty:netty-common:4.2.13.Final
 org.apache.arrow:arrow-format:15.0.2
 org.apache.arrow:arrow-memory-core:15.0.2
 org.apache.arrow:arrow-memory-netty:15.0.2
@@ -16,7 +16,7 @@ org.apache.arrow:arrow-vector:15.0.2
 org.apache.avro:avro:1.12.1
 org.apache.datasketches:datasketches-java:6.2.0
 org.apache.datasketches:datasketches-memory:3.0.2
-org.apache.httpcomponents.client5:httpclient5:5.6
+org.apache.httpcomponents.client5:httpclient5:5.6.1
 org.apache.httpcomponents.core5:httpcore5-h2:5.4
 org.apache.httpcomponents.core5:httpcore5:5.4
 org.apache.orc:orc-core:1.9.8
@@ -34,7 +34,7 @@ org.eclipse.collections:eclipse-collections-api:11.1.0
 org.eclipse.collections:eclipse-collections:11.1.0
 org.eclipse.microprofile.openapi:microprofile-openapi-api:4.1.1
 org.locationtech.jts:jts-core:1.20.0
-org.projectnessie.nessie:nessie-client:0.107.4
-org.projectnessie.nessie:nessie-model:0.107.4
+org.projectnessie.nessie:nessie-client:0.107.5
+org.projectnessie.nessie:nessie-model:0.107.5
 org.roaringbitmap:RoaringBitmap:1.6.14
 org.threeten:threeten-extra:1.7.1

(iceberg) branch main updated: Build: Fix transitive dependency CVEs across all distributions (#16290)

Reply via email to