[ https://issues.apache.org/jira/browse/FLINK-34955?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17834681#comment-17834681 ]
Shilun Fan commented on FLINK-34955: ------------------------------------ [~gongzhongqiang] From my personal perspective, I believe upgrading to version 1.26.0 should be sufficient as this version has already fixed the CVE issue. As for upgrading to 1.26.1, I think we can consider it after some time. Removing commons-codec might prove to be challenging because Flink has dependencies on Hadoop and HBase (both of which directly depend on commons-codec). If we remove commons-codec, it may result in the Hadoop and HBase modules being unable to compile successfully. > Upgrade commons-compress to 1.26.0 > ---------------------------------- > > Key: FLINK-34955 > URL: https://issues.apache.org/jira/browse/FLINK-34955 > Project: Flink > Issue Type: Improvement > Reporter: Shilun Fan > Assignee: Shilun Fan > Priority: Major > Labels: pull-request-available > Fix For: 1.18.2, 1.20.0, 1.19.1 > > > commons-compress 1.24.0 has CVE issues, try to upgrade to 1.26.0, we can > refer to the maven link > https://mvnrepository.com/artifact/org.apache.commons/commons-compress -- This message was sent by Atlassian Jira (v8.20.10#820010)