Hey Gábor, Thanks for bringing this up, and I would be in favor of removing it because of the security implications. I've created a draft PR <https://github.com/apache/parquet-java/pull/3192> to locally publish the artifact with reflect missing. With this version, I've tested against the Iceberg codebase, and it looks like we don't rely on that part.
Kind regards, Fokko Driesprong Op ma 14 apr 2025 om 09:24 schreef Gábor Szádovszky <ga...@apache.org>: > Dear Parquet devs/users, > > In the light of the recent security concerns about the parquet-avro reflect > feature (see CVE-2025-30065), a would like to start a discussion about its > deprecation in the next minor parquet-java release, and the removal in the > next major release. > > The parquet-avro module [1] in parquet-java is to use the Avro data model > for reading/writing Parquet data. The reflect feature is to support mapping > Parquet data to arbitrary Java objects via reflection. > The two additional mapping solutions (code generation and the generic API) > would remain supported in parquet-java. > > Cheers, > Gabor > > [1] https://github.com/apache/parquet-java/tree/master/parquet-avro >
