Hi, thanks for making this happen. I did not check every PR, but in case these are mostly patch or minor version bumps which does not require any actual logical change, I think creating 1 JIRA for the whole group where you summarize the resolved/mitigated CVEs and then raising 1 PR with all the changes would be the most straightforward and easily trackable 6 months from now.
Best, Ferenc On Monday, February 9th, 2026 at 11:13, Cameron Scholes <[email protected]> wrote: > > > Hi > > I am in the process of resolving CVEs in Flink via dependency updates > and I have so far created a few PRs listed below. > > https://github.com/apache/flink/pull/27479 > https://github.com/apache/flink/pull/27493 > https://github.com/apache/flink/pull/27512 > https://github.com/apache/flink/pull/27526 > https://github.com/apache/flink/pull/27535 > > I was just wondering if it is acceptable to keep these as hotfixes as > they are trivial dependency updates for the most part, or do they need > to have an attached Jira ticket? > > > Kind Regards > > Cameron
