This is an automated email from the ASF dual-hosted git repository.

JingsongLi pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/paimon.git


The following commit(s) were added to refs/heads/master by this push:
     new 73d38b6df3 [fs] Force CVE-patched commons-lang3 and snappy-java in 
hadoop-shaded (#8560)
73d38b6df3 is described below

commit 73d38b6df3c3ec26680af82e68e3c9ce9e649a25
Author: Eunbin Son <[email protected]>
AuthorDate: Mon Jul 13 11:21:21 2026 +0900

    [fs] Force CVE-patched commons-lang3 and snappy-java in hadoop-shaded 
(#8560)
---
 paimon-filesystems/paimon-hadoop-shaded/pom.xml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/paimon-filesystems/paimon-hadoop-shaded/pom.xml 
b/paimon-filesystems/paimon-hadoop-shaded/pom.xml
index 585511378d..cdd2363b6c 100644
--- a/paimon-filesystems/paimon-hadoop-shaded/pom.xml
+++ b/paimon-filesystems/paimon-hadoop-shaded/pom.xml
@@ -44,6 +44,18 @@
                 <artifactId>commons-beanutils</artifactId>
                 <version>${commons.beanutils.version}</version>
             </dependency>
+            <dependency>
+                <!-- Bumped for security purposes (CVE-2025-48924); aligns 
bundled version with NOTICE -->
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-lang3</artifactId>
+                <version>3.18.0</version>
+            </dependency>
+            <dependency>
+                <!-- Bumped for security purposes; aligns bundled version with 
NOTICE -->
+                <groupId>org.xerial.snappy</groupId>
+                <artifactId>snappy-java</artifactId>
+                <version>${snappy.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 

Reply via email to