hemanthumashankar0511 opened a new pull request, #6401: URL: https://github.com/apache/hive/pull/6401
What changes were proposed in this pull request? This PR upgrades two Spring-related dependencies to address a known security vulnerability: spring.version: 5.3.39 → 6.2.12 (in both pom.xml and standalone-metastore/pom.xml) spring-ldap-core: 2.4.4 → 3.3.4 (in both pom.xml and standalone-metastore/pom.xml) Why are the changes needed? This upgrade addresses CVE-2025-41249, which affects spring-core versions through 5.3.39. The previously used spring-ldap-core:2.4.4 transitively pulled in the vulnerable spring-core:5.3.39. Upgrading to spring-ldap-core:3.3.4 brings in a Spring 6.2.12 baseline, fully resolving the vulnerability. The fix has been verified across both the standalone-metastore and ql modules — neither module's dependency tree contains spring-core:5.3.x after this change. Does this PR introduce any user-facing change? No. This is a pure maintenance upgrade with no functional changes. Note that Spring 6 requires Java 17, which aligns with the Java 17 baseline already being adopted in Hive master. How was this patch tested? Dependency tree verification — Confirmed via mvn dependency:tree on both the standalone-metastore and ql modules that spring-core:5.3.39 is fully replaced by 6.2.12 with no residual vulnerable transitive references. Compilation check — Successfully ran mvn clean install -DskipTests on the ql and service-rpc modules with no breaking API changes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
