thswlsqls opened a new issue, #8558: URL: https://github.com/apache/paimon/issues/8558
**Search before asking** - [x] I searched in the [issues](https://github.com/apache/paimon/issues) and found nothing similar. **Paimon version** master @ a8e4069b9 / 2.0-SNAPSHOT **Compute Engine** Engine-agnostic (filesystem shading artifact) **Minimal reproduce step** `mvn -pl paimon-filesystems/paimon-hadoop-shaded dependency:tree` resolves `org.apache.commons:commons-lang3:3.12.0` and `org.xerial.snappy:snappy-java:1.1.8.2` (transitive from `hadoop-common:3.3.4`). Because the shade config uses `<include>*:*</include>`, those versions are bundled into the shaded jar. **What doesn't meet your expectations?** The module's `src/main/resources/META-INF/NOTICE` declares `commons-lang3:3.18.0` and `snappy-java:1.1.10.8`. The CVE fixes #6781 (CVE-2025-48924) and #7383 only edited NOTICE / added an inert root `snappy.version` property — no dependency override reaches this module, so the shaded jar still ships the vulnerable versions and the CVE remediations never take effect here. This propagates to `paimon-hadoop-uber` and the oss/s3/obs/cosn/azure `-impl` modules, which bundle hadoop through this module. **Anything else?** Fix: add `dependencyManagement` overrides (mirroring the existing `commons-beanutils` security bump) pinning `commons-lang3:3.18.0` and `snappy-java:${snappy.version}`, so bundled versions match NOTICE. `dependency:tree` then resolves 3.18.0 / 1.1.10.8. **Are you willing to submit a PR?** - [x] I'm willing to submit a PR! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
