[jira] [Updated] (SPARK-52708) Remove dependencies exposed to critical and high CVEs

Tue, 08 Jul 2025 02:57:44 -0700 


     [ 
https://issues.apache.org/jira/browse/SPARK-52708?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kai Qin updated SPARK-52708:
----------------------------
    Description: 
Several outdated library dependencies still exist in *PySpark 4.0.0* contain 
{*}high/critical security vulnerabilities (CVEs){*}. These library are marked 
as removed in 
[https://spark.apache.org/releases/spark-release-4-0-0.html|https://spark.apache.org/releases/spark-release-4-0-0.html.]
 * jackson-mapper-asl:1.9.13
 * jackson-core-asl:1.9.13

Expected Behaviour:
 * Ideally, these jar should be removed.

Above list is not a complete list, but inconsistent with official release note.

  was:
Several outdated library dependencies still exist in *PySpark 4.0.0* contain 
{*}high/critical security vulnerabilities (CVEs){*}. These library are marked 
as removed in 
[https://spark.apache.org/releases/spark-release-4-0-0.html|https://spark.apache.org/releases/spark-release-4-0-0.html.]
 * jackson-mapper-asl:1.9.13
 * jackson-core-asl:1.9.13

Expected Behaviour:
 * Ideally, these jar should be removed.

Above list is not a complete list, but quite confusing


> Remove dependencies exposed to critical and high CVEs
> -----------------------------------------------------
>
>                 Key: SPARK-52708
>                 URL: https://issues.apache.org/jira/browse/SPARK-52708
>             Project: Spark
>          Issue Type: Dependency upgrade
>          Components: PySpark
>    Affects Versions: 4.0.0
>            Reporter: Kai Qin
>            Priority: Major
>
> Several outdated library dependencies still exist in *PySpark 4.0.0* contain 
> {*}high/critical security vulnerabilities (CVEs){*}. These library are marked 
> as removed in 
> [https://spark.apache.org/releases/spark-release-4-0-0.html|https://spark.apache.org/releases/spark-release-4-0-0.html.]
>  * jackson-mapper-asl:1.9.13
>  * jackson-core-asl:1.9.13
> Expected Behaviour:
>  * Ideally, these jar should be removed.
> Above list is not a complete list, but inconsistent with official release 
> note.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to