I have created the following Jira ticket
https://issues.apache.org/jira/browse/FLINK-39060
I may need to create another ticket to go through exclusions in other
dependencies to reduce CVE numbers from transitive dependencies.
Kind Regards
Cameron
On 2026/02/09 11:52:01 Ferenc Csaky wrote:
> Hi,
>
> thanks for making this happen. I did not check every PR, but in case
these are
> mostly patch or minor version bumps which does not require any actual
logical
> change, I think creating 1 JIRA for the whole group where you
summarize the
> resolved/mitigated CVEs and then raising 1 PR with all the changes
would be the
> most straightforward and easily trackable 6 months from now.
>
> Best,
> Ferenc
>
>
>
> On Monday, February 9th, 2026 at 11:13, Cameron Scholes
<[email protected]> wrote:
>
> >
> >
> > Hi
> >
> > I am in the process of resolving CVEs in Flink via dependency updates
> > and I have so far created a few PRs listed below.
> >
> > https://github.com/apache/flink/pull/27479
> > https://github.com/apache/flink/pull/27493
> > https://github.com/apache/flink/pull/27512
> > https://github.com/apache/flink/pull/27526
> > https://github.com/apache/flink/pull/27535
> >
> > I was just wondering if it is acceptable to keep these as hotfixes as
> > they are trivial dependency updates for the most part, or do they need
> > to have an attached Jira ticket?
> >
> >
> > Kind Regards
> >
> > Cameron
>
