[jira] [Work logged] (BEAM-13616) Update protobuf-java to 3.19.2 and other vendored dependencies that use protobuf

Tue, 11 Jan 2022 11:47:37 -0800 


     [ 
https://issues.apache.org/jira/browse/BEAM-13616?focusedWorklogId=707089&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-707089
 ]

ASF GitHub Bot logged work on BEAM-13616:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 11/Jan/22 19:46
            Start Date: 11/Jan/22 19:46
    Worklog Time Spent: 10m 
      Work Description: lukecwik commented on a change in pull request #16473:
URL: https://github.com/apache/beam/pull/16473#discussion_r782474437



##########
File path: vendor/calcite-1_28_0/build.gradle
##########
@@ -21,16 +21,20 @@ plugins { id 'org.apache.beam.vendor-java' }
 description = "Apache Beam :: Vendored Dependencies :: Calcite 1.28.0"
 
 group = "org.apache.beam"
-version = "0.1"
+version = "0.2"
 
 def calcite_version = "1.28.0"
 def avatica_version = "1.19.0"
+
+// TODO(BEAM-13616): Calcite does not automatically use an up-to-date protobuf 
dependency.

Review comment:
       ```suggestion
   ```

##########
File path: vendor/calcite-1_28_0/build.gradle
##########
@@ -52,6 +56,8 @@ vendorJava(
                 "org.apache.calcite:calcite-core:$calcite_version",
                 "org.apache.calcite:calcite-linq4j:$calcite_version",
                 "org.apache.calcite.avatica:avatica-core:$avatica_version",
+                "com.google.protobuf:protobuf-java:$protobuf_version",

Review comment:
       ```suggestion
                   // Override the version of protobuf to patch a security 
vulnerability. This override can be removed once we upgrade to a newer version 
of calcite that depends on protobuf >= 3.19.2.
                   "com.google.protobuf:protobuf-java:$protobuf_version",
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

    Worklog Id:     (was: 707089)
    Time Spent: 4h 40m  (was: 4.5h)

> Update protobuf-java to 3.19.2 and other vendored dependencies that use 
> protobuf
> --------------------------------------------------------------------------------
>
>                 Key: BEAM-13616
>                 URL: https://issues.apache.org/jira/browse/BEAM-13616
>             Project: Beam
>          Issue Type: Bug
>          Components: build-system
>            Reporter: Emily Ye
>            Assignee: Emily Ye
>            Priority: P1
>             Fix For: 2.36.0
>
>          Time Spent: 4h 40m
>  Remaining Estimate: 0h
>
> [https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67]
>  requires us to update versions of vendored artifacts that use protobuf, and 
> recommended version of protobuf in BeamModuleGroovy
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to