ZachChuba opened a new issue, #24817: URL: https://github.com/apache/pulsar/issues/24817
### Search before reporting - [x] I searched in the [issues](https://github.com/apache/pulsar/issues) and found nothing similar. ### Read release policy - [x] I understand that [unsupported versions](https://pulsar.apache.org/contribute/release-policy/#supported-versions) don't get bug fixes. I will attempt to reproduce the issue on a supported version of Pulsar client and Pulsar broker. ### User environment Pulsar-Client version [4.0.6,4.1.+] ### Issue Description pulsar-client shades in commons-collections:commons-collections 3.2.2 which is vulnerable to sonatype-2024-3350 DOS attack. bookkeeper 4.17.2 introduces this dependency by shading in commons-beanutils 1.11.0. Exploitability on pulsar appears non-existent, but this is coming up in enterprise security scan reports. ### Error messages ```text ``` ### Reproducing the issue Classpath analysis ### Additional information _No response_ ### Are you willing to submit a PR? - [x] I'm willing to submit a PR! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
