Re: [PR] [fix][sec] Added exclusions for vulnerable transitive dependencies (Avro, Tomcat-embed-core, Mina-core, Derby) to remediate CVEs [pulsar]

via GitHub Wed, 05 Nov 2025 02:42:10 -0800


guptas6est commented on code in PR #24946:
URL: https://github.com/apache/pulsar/pull/24946#discussion_r2493918429



##########
pulsar-io/flume/pom.xml:
##########
@@ -61,6 +61,18 @@
                     <artifactId>avro</artifactId>
                     <groupId>org.apache.avro</groupId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.tomcat.embed</groupId>
+                    <artifactId>tomcat-embed-core</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.mina</groupId>
+                    <artifactId>mina-core</artifactId>

Review Comment:
   Instead of excluding mina-core, would it be acceptable to override mina-core 
to the latest fixed version (2.2.4) in dependencyManagement?
   This version includes the fix for CVE-2024-52046, so it should allow us to 
remediate the vulnerability without breaking the Flume connector.
   Please let me know if this approach works for you. Thanks!



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] [fix][sec] Added exclusions for vulnerable transitive dependencies (Avro, Tomcat-embed-core, Mina-core, Derby) to remediate CVEs [pulsar]

Reply via email to