Adrian Gonzalez-Martin created SPARK-44157: ----------------------------------------------
Summary: Outdated JARs in PySpark package Key: SPARK-44157 URL: https://issues.apache.org/jira/browse/SPARK-44157 Project: Spark Issue Type: Bug Components: Build, PySpark Affects Versions: 3.4.1 Reporter: Adrian Gonzalez-Martin The JARs which ship embedded within PySpark's package in PyPi don't seem aligned with the deps specified in Spark's own `pom.xml`. For example, in Spark's `pom.xml`, `protobuf-java` is set to `3.21.12`: [https://github.com/apache/spark/blob/6b1ff22dde1ead51cbf370be6e48a802daae58b6/pom.xml#L127] However, if we look at the JARs embedded within PySpark tarball, the version of `protobuf-java` is `2.5.0` (i.e. `..../site-packages/pyspark/jars/protobuf-java-2.5.0.jar`). Same seems to apply to all other dependencies. This introduces a set of CVEs which are fixed on upstream Spark, but are still present in PySpark (e.g. `CVE-2022-3509`, `CVE-2021-22569`, ` CVE-2015-5237` and a few others). As well as potentially introduce a source of conflict whenever there's a breaking change on these deps. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org