damccorm opened a new issue, #21639: URL: https://github.com/apache/beam/issues/21639
The [beam-vendor-grpc-1_43_2](https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_43_2) dependency (that is pulled transitively by the beam-runners-flink-1.13) shades a vulnerable Netty version, i.e. 4.1.63.Final: [https://mvnrepository.com/artifact/io.netty/netty-all/4.1.63.Final](https://mvnrepository.com/artifact/io.netty/netty-all/4.1.63.Final) In turn, our Beam pipelines builds are marked as vulnerable and we're having issues promoting them to higher environments. Because Netty is shaded, we can't simply override the version in the build tool. Imported from Jira [BEAM-14118](https://issues.apache.org/jira/browse/BEAM-14118). Original Jira may contain additional context. Reported by: jigga. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
