This is an automated email from the ASF dual-hosted git repository.
ruifengz pushed a commit to branch branch-3.5
in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/branch-3.5 by this push:
new 91606de8ce72 [SPARK-54649][BUILD][3.5] Upgrade Jersey to 2.47
91606de8ce72 is described below
commit 91606de8ce723efa6e03cc1fa7a57483ab373a5b
Author: Cheng Pan <[email protected]>
AuthorDate: Wed Dec 17 10:41:05 2025 +0800
[SPARK-54649][BUILD][3.5] Upgrade Jersey to 2.47
### What changes were proposed in this pull request?
A dependency patch version upgrade for security.
### Why are the changes needed?
To fix CVE-2025-12383.
### Does this PR introduce _any_ user-facing change?
No.
### How was this patch tested?
Pass GHA.
### Was this patch authored or co-authored using generative AI tooling?
No.
Closes #53404 from pan3793/SPARK-54649-3.5.
Authored-by: Cheng Pan <[email protected]>
Signed-off-by: Ruifeng Zheng <[email protected]>
---
dev/deps/spark-deps-hadoop-3-hive-2.3 | 14 +++++++-------
pom.xml | 2 +-
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/dev/deps/spark-deps-hadoop-3-hive-2.3
b/dev/deps/spark-deps-hadoop-3-hive-2.3
index c7aa3eea703a..893f3e24aa65 100644
--- a/dev/deps/spark-deps-hadoop-3-hive-2.3
+++ b/dev/deps/spark-deps-hadoop-3-hive-2.3
@@ -115,7 +115,7 @@
jakarta.validation-api/2.0.2//jakarta.validation-api-2.0.2.jar
jakarta.ws.rs-api/2.1.6//jakarta.ws.rs-api-2.1.6.jar
jakarta.xml.bind-api/2.3.2//jakarta.xml.bind-api-2.3.2.jar
janino/3.1.9//janino-3.1.9.jar
-javassist/3.29.2-GA//javassist-3.29.2-GA.jar
+javassist/3.30.2-GA//javassist-3.30.2-GA.jar
javax.jdo/3.2.0-m3//javax.jdo-3.2.0-m3.jar
javolution/5.5.1//javolution-5.5.1.jar
jaxb-api/2.2.11//jaxb-api-2.2.11.jar
@@ -123,12 +123,12 @@ jaxb-runtime/2.3.2//jaxb-runtime-2.3.2.jar
jcl-over-slf4j/2.0.7//jcl-over-slf4j-2.0.7.jar
jdo-api/3.0.1//jdo-api-3.0.1.jar
jdom2/2.0.6//jdom2-2.0.6.jar
-jersey-client/2.40//jersey-client-2.40.jar
-jersey-common/2.40//jersey-common-2.40.jar
-jersey-container-servlet-core/2.40//jersey-container-servlet-core-2.40.jar
-jersey-container-servlet/2.40//jersey-container-servlet-2.40.jar
-jersey-hk2/2.40//jersey-hk2-2.40.jar
-jersey-server/2.40//jersey-server-2.40.jar
+jersey-client/2.47//jersey-client-2.47.jar
+jersey-common/2.47//jersey-common-2.47.jar
+jersey-container-servlet-core/2.47//jersey-container-servlet-core-2.47.jar
+jersey-container-servlet/2.47//jersey-container-servlet-2.47.jar
+jersey-hk2/2.47//jersey-hk2-2.47.jar
+jersey-server/2.47//jersey-server-2.47.jar
jettison/1.1//jettison-1.1.jar
jetty-util-ajax/9.4.58.v20250814//jetty-util-ajax-9.4.58.v20250814.jar
jetty-util/9.4.58.v20250814//jetty-util-9.4.58.v20250814.jar
diff --git a/pom.xml b/pom.xml
index 50124447081f..58d046b55e97 100644
--- a/pom.xml
+++ b/pom.xml
@@ -205,7 +205,7 @@
Please don't upgrade the version to 3.0.0+,
Because it transition Jakarta REST API from javax to jakarta package.
-->
- <jersey.version>2.40</jersey.version>
+ <jersey.version>2.47</jersey.version>
<joda.version>2.12.5</joda.version>
<jodd.version>3.5.2</jodd.version>
<jsr305.version>3.0.0</jsr305.version>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
