lhotari opened a new pull request, #25855: URL: https://github.com/apache/pulsar/pull/25855
Closes #25763 ### Motivation The explicit `kotlin-stdlib` version override was added in PR #13065 to mitigate [CVE-2020-29582](https://nvd.nist.gov/vuln/detail/CVE-2020-29582), which only affects Kotlin `< 1.4.21`. With the recent upgrade to `okhttp3` 5.x and `okio` 3.x, the transitive `kotlin-stdlib` is already on a modern major (2.x), so the override is no longer necessary. Worse, pinning to `1.8.20` was downgrading a transitive resolution that would naturally land on `2.2.21`, and `1.8.20` is itself out of support. While here, this also resolves a transitive version split: `opentelemetry-exporter-sender-okhttp:1.62.0` was bringing in `okhttp:5.3.2`, but the `okhttp-bom:5.3.1` constraint forced it back down to `5.3.1`. Aligning the BOM to `5.3.2` removes the mismatch. `org.jetbrains:annotations` is no longer pinned in the catalog either — it now resolves naturally to `13.0` as requested by `kotlin-stdlib` 2.2.21 (not forced). ### Modifications * `gradle/libs.versions.toml` * `okhttp3`: `5.3.1` → `5.3.2` * `okio`: `3.16.3` → `3.17.0` * Remove `kotlin-stdlib = "1.8.20"` version and catalog entry — resolves transitively to `2.2.21` via okio/okhttp. * Remove `jetbrains-annotations = "13.0"` — was unused outside the explicit dist declaration; resolves naturally to `13.0` via `kotlin-stdlib`. * `distribution/server/build.gradle.kts` * Remove explicit `distLib` entries for `kotlin-stdlib`, `kotlin-stdlib-common`, and `org.jetbrains:annotations`. These now flow in transitively. (`kotlin-stdlib-common` is no longer published as a separate JVM artifact in Kotlin 2.x — it is bundled into `kotlin-stdlib`.) * `distribution/server/src/assemble/LICENSE.bin.txt` * Update version numbers for `okhttp3-*`, `okio-jvm`, and `kotlin-stdlib`. * Drop the `kotlin-stdlib-common` entry (no longer in the distribution). Affected transitive consumers verified compatible: - `io.kubernetes:client-java:23.0.0` (Pulsar Functions kubernetes runtime) - `io.opentelemetry:opentelemetry-exporter-sender-okhttp:1.62.0` - `pulsar-broker-auth-oidc` (direct usage) - Tests in `pulsar-broker` and `pulsar-proxy` The contents of the built `apache-pulsar-*-bin.tar.gz` were inspected to confirm the new versions land in `lib/`: ``` lib/com.squareup.okhttp3-logging-interceptor-5.3.2.jar lib/com.squareup.okhttp3-okhttp-jvm-5.3.2.jar lib/com.squareup.okio-okio-jvm-3.17.0.jar lib/org.jetbrains.kotlin-kotlin-stdlib-2.2.21.jar lib/org.jetbrains-annotations-13.0.jar ``` ### Verifying this change - [x] Make sure that the change passes the CI checks. This change is a trivial rework / code cleanup without any test coverage. Local verification performed: - `./gradlew :distribution:pulsar-server-distribution:checkBinaryLicense` — passes - `./gradlew :distribution:pulsar-shell-distribution:checkBinaryLicense` — passes - `./gradlew spotlessCheck` — passes - Inspected resolved dependency tree to confirm `kotlin-stdlib` is no longer forced to `1.8.20` and that `okhttp3`/`okio` resolve to the aligned versions. ### Does this pull request potentially affect one of the following parts: - [x] Dependencies (add or upgrade a dependency) - [ ] The public API - [ ] The schema - [ ] The default values of configurations - [ ] The threading model - [ ] The binary protocol - [ ] The REST endpoints - [ ] The admin CLI options - [ ] The metrics - [ ] Anything that affects deployment ### Documentation - [x] `no-need-doc` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
