xiangfu0 opened a new pull request, #18647: URL: https://github.com/apache/pinot/pull/18647
## Summary - Upgrade managed Eclipse Jetty dependencies to `12.0.35`. - Exclude Hadoop/Spark transitive Jetty 9-only servlet/webapp/websocket artifacts and ban Jetty versions below `12.0.35`. - Ban `org.apache.hadoop:hadoop-client-runtime`, which embeds relocated Jetty 9 classes. - Add `pinot-hadoop-shaded-xml` to provide Hadoop-compatible relocated Woodstox/StAX XML classes for Parquet without reintroducing the Hadoop runtime jar. - Update `LICENSE-binary` for the Jetty 12 and Woodstox/StAX dependency inventory. ## Why This removes the Jetty 9 dependency surface from Pinot's optional Hadoop/Spark/Pulsar plugin paths for CVE-2026-2332. Pinot's own HTTP stack remains Grizzly/Jersey; this is dependency hygiene for optional plugin/runtime artifacts. ## User Manual / Config Impact No Pinot table config, query syntax, or user-facing HTTP configuration changes are required. No sample table config or query changes are applicable for this dependency-only migration. ## Validation - `./mvnw -pl pinot-tools,pinot-plugins/pinot-file-system/pinot-hdfs,pinot-plugins/pinot-input-format/pinot-orc,pinot-plugins/pinot-input-format/pinot-parquet,pinot-plugins/pinot-batch-ingestion/pinot-batch-ingestion-hadoop,pinot-plugins/pinot-batch-ingestion/pinot-batch-ingestion-spark-3,pinot-plugins/pinot-stream-ingestion/pinot-pulsar -am validate -DskipTests` - `./mvnw -pl pinot-plugins/pinot-input-format/pinot-hadoop-shaded-xml,pinot-plugins/pinot-input-format/pinot-parquet -am '-Dtest=Parquet*Test' -Dsurefire.failIfNoSpecifiedTests=false test` - `./mvnw -pl pinot-plugins/pinot-input-format/pinot-hadoop-shaded-xml,pinot-plugins/pinot-input-format/pinot-parquet -am package -DskipTests` - `./mvnw -pl pinot-tools,pinot-plugins/pinot-file-system/pinot-hdfs,pinot-plugins/pinot-input-format/pinot-orc,pinot-plugins/pinot-input-format/pinot-parquet,pinot-plugins/pinot-batch-ingestion/pinot-batch-ingestion-hadoop,pinot-plugins/pinot-batch-ingestion/pinot-batch-ingestion-spark-3,pinot-plugins/pinot-stream-ingestion/pinot-pulsar -am dependency:tree -Dincludes=org.eclipse.jetty,org.eclipse.jetty.websocket,org.eclipse.jetty.ee8,org.apache.hadoop:hadoop-client-runtime -DskipTests` - `./mvnw spotless:apply -pl pinot-bom,pinot-plugins/pinot-input-format,pinot-plugins/pinot-input-format/pinot-hadoop-shaded-xml,pinot-plugins/pinot-input-format/pinot-parquet,pinot-plugins/pinot-batch-ingestion/pinot-batch-ingestion-spark-3` - `./mvnw license:format -pl pinot-bom,pinot-plugins/pinot-input-format,pinot-plugins/pinot-input-format/pinot-hadoop-shaded-xml,pinot-plugins/pinot-input-format/pinot-parquet,pinot-plugins/pinot-batch-ingestion/pinot-batch-ingestion-spark-3` - `./mvnw checkstyle:check -pl pinot-bom,pinot-plugins/pinot-input-format,pinot-plugins/pinot-input-format/pinot-hadoop-shaded-xml,pinot-plugins/pinot-input-format/pinot-parquet,pinot-plugins/pinot-batch-ingestion/pinot-batch-ingestion-spark-3` - `./mvnw license:check -pl pinot-bom,pinot-plugins/pinot-input-format,pinot-plugins/pinot-input-format/pinot-hadoop-shaded-xml,pinot-plugins/pinot-input-format/pinot-parquet,pinot-plugins/pinot-batch-ingestion/pinot-batch-ingestion-spark-3` - `git diff --check` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
