Copilot commented on code in PR #2918:
URL:
https://github.com/apache/incubator-hugegraph/pull/2918#discussion_r2626402615
##########
hugegraph-server/hugegraph-core/pom.xml:
##########
@@ -197,6 +197,8 @@
<artifactId>commons-compress</artifactId>
<version>${commons-compress.version}</version>
</dependency>
+ <!-- LZ4 version update from 1.8.0 to 1.8.1. For details on the
specific changes, please refer to:
+ https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
-->
Review Comment:
The CVE reference "cve-2025-12183" appears to reference a vulnerability in
2025. Please verify that this CVE identifier is correct and publicly
documented. If this is referencing a security fix, ensure the CVE is accurately
cited and the vulnerability details are correct.
##########
hugegraph-struct/pom.xml:
##########
@@ -108,10 +108,12 @@
<artifactId>fastutil</artifactId>
<version>8.1.0</version>
</dependency>
+ <!-- LZ4 version update from 1.7.1 to 1.8.1. For details on the
specific changes, please refer to:
+ https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
-->
Review Comment:
The CVE reference "cve-2025-12183" appears to reference a vulnerability in
2025. Please verify that this CVE identifier is correct and publicly
documented. If this is referencing a security fix, ensure the CVE is accurately
cited and the vulnerability details are correct.
##########
install-dist/release-docs/LICENSE:
##########
@@ -651,6 +651,7 @@ The text of each license is also included in
licenses/LICENSE-[project].txt.
https://central.sonatype.com/artifact/org.lz4/lz4-java/1.4.0 -> Apache 2.0
https://central.sonatype.com/artifact/org.lz4/lz4-java/1.7.1 -> Apache 2.0
https://central.sonatype.com/artifact/org.lz4/lz4-java/1.8.0 -> Apache 2.0
Review Comment:
The entries for lz4-java versions 1.7.1 and 1.8.0 should be removed since
these versions are being replaced by 1.8.1. Only versions 1.4.0 and 1.8.1
should remain in the LICENSE file, as indicated by the updated
known-dependencies.txt which removes lz4-java-1.7.1.jar and lz4-java-1.8.0.jar.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
