spuru9 opened a new pull request, #253: URL: https://github.com/apache/flink-connector-kafka/pull/253
## Summary Bumps three dependency versions declared in the root `pom.xml` to clear known CVEs flagged by `trivy fs`. | Dep | From | To | CVE | Severity | Scope | |---|---|---|---|---|---| | `jackson-bom` | 2.18.2 | 2.21.3 | [GHSA-72hv-8253-57qq](https://github.com/advisories/GHSA-72hv-8253-57qq) — async parser DoS via number-length bypass | MEDIUM | **compile (ships in connector jar)** | | `log4j` | 2.25.0 | 2.25.4 | [CVE-2025-68161](https://nvd.nist.gov/vuln/detail/CVE-2025-68161), [CVE-2026-34477](https://nvd.nist.gov/vuln/detail/CVE-2026-34477), [CVE-2026-34478](https://nvd.nist.gov/vuln/detail/CVE-2026-34478), [CVE-2026-34480](https://nvd.nist.gov/vuln/detail/CVE-2026-34480) | MEDIUM | test | | `assertj` | 3.27.3 | 3.27.7 | [CVE-2026-24400](https://nvd.nist.gov/vuln/detail/CVE-2026-24400) — XXE info disclosure / DoS | HIGH | test | Only `jackson` ships in the connector jar (`flink-connector-kafka` and shaded `flink-sql-connector-kafka` at compile scope). `log4j` and `assertj` are test-scope hygiene bumps. `jackson-bom` chose 2.21.3 to align with what Flink master pins, so the connector and Flink stay on the same Jackson minor going forward. ## Test plan - [x] `mvn clean test-compile` on `flink-connector-kafka` passes with the new versions. - [x] `trivy fs` no longer reports the five CVEs above. - [ ] CI green. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
