This is an automated email from the ASF dual-hosted git repository. wu-sheng pushed a commit to branch cve/oap-server-bom-dep-bumps in repository https://gitbox.apache.org/repos/asf/skywalking.git
commit 266e026f976cf0b043721419fc7a125d0504dbc3 Author: Wu Sheng <[email protected]> AuthorDate: Mon Jun 8 08:24:11 2026 +0800 Bump shipped OAP dependencies to clear CVE Dependabot alerts Bump in oap-server-bom: - log4j 2.25.3 -> 2.25.4 - jackson 2.18.5 -> 2.18.6 - kafka-clients 3.4.0 -> 3.9.2 - postgresql 42.4.4 -> 42.7.11 - commons-compress 1.21 -> 1.26.2 Regenerate dist-material/release-docs/LICENSE accordingly, including the kafka-clients transitives: zstd-jni 1.5.6-4, snappy-java 1.1.10.5, and the lz4-java groupId change org.lz4 -> at.yawk.lz4 1.10.1. Add a .licenserc.yaml override so postgresql keeps its BSD-2-Clause classification (42.7.11 no longer text-matches the SPDX template, so license-eye otherwise falls back to the raw license URL). The kafka-clients 3.9.2 bump also carries KAFKA-17078, fixing the SASL auth crash on JDK 24+ (Closes #13849). Corrects the closed PR #13859, which failed the dependency-license check by not regenerating the LICENSE file. --- .licenserc.yaml | 3 +++ dist-material/release-docs/LICENSE | 22 +++++++++++----------- docs/en/changes/changes.md | 1 + oap-server-bom/pom.xml | 10 +++++----- 4 files changed, 20 insertions(+), 16 deletions(-) diff --git a/.licenserc.yaml b/.licenserc.yaml index 3baa9e6fad..7a85203fda 100644 --- a/.licenserc.yaml +++ b/.licenserc.yaml @@ -123,6 +123,9 @@ dependency: - name: com.github.luben:zstd-jni version: 1.4.3-1 license: BSD-2-Clause + - name: org.postgresql:postgresql + version: 42.7.11 + license: BSD-2-Clause - name: org.antlr:antlr4-runtime version: 4.11.1 license: BSD-3-Clause diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE index e9012606f6..614f378faa 100644 --- a/dist-material/release-docs/LICENSE +++ b/dist-material/release-docs/LICENSE @@ -189,6 +189,7 @@ Apache-2.0 licenses ======================================================================== The following components are provided under the Apache-2.0 License. See project link for details. The text of each license is the standard Apache 2.0 license. + https://mvnrepository.com/artifact/at.yawk.lz4/lz4-java/1.10.1 Apache-2.0 https://mvnrepository.com/artifact/build.buf.protoc-gen-validate/pgv-java-stub/1.3.0 Apache-2.0 https://mvnrepository.com/artifact/build.buf.protoc-gen-validate/protoc-gen-validate/1.3.0 Apache-2.0 https://mvnrepository.com/artifact/com.aayushatharva.brotli4j/brotli4j/1.20.0 Apache-2.0 @@ -198,8 +199,8 @@ The text of each license is the standard Apache 2.0 license. https://mvnrepository.com/artifact/com.alibaba.nacos/nacos-encryption-plugin/2.3.2 Apache-2.0 https://mvnrepository.com/artifact/com.ctrip.framework.apollo/apollo-client/1.8.0 Apache-2.0 https://mvnrepository.com/artifact/com.ctrip.framework.apollo/apollo-core/1.8.0 Apache-2.0 - https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-annotations/2.18.5 Apache-2.0 - https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core/2.18.5 Apache-2.0 + https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-annotations/2.18.6 Apache-2.0 + https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core/2.18.6 Apache-2.0 https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.16.0 Apache-2.0 https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.15.2 Apache-2.0 https://mvnrepository.com/artifact/com.fasterxml.jackson.datatype/jackson-datatype-guava/2.12.0 Apache-2.0 @@ -319,7 +320,7 @@ The text of each license is the standard Apache 2.0 license. https://mvnrepository.com/artifact/javax.inject/javax.inject/1 Apache-2.0 https://mvnrepository.com/artifact/joda-time/joda-time/2.10.5 Apache-2.0 https://mvnrepository.com/artifact/net.jodah/failsafe/2.4.4 Apache-2.0 - https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.21 Apache-2.0 + https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.26.2 Apache-2.0 https://mvnrepository.com/artifact/org.apache.commons/commons-lang3/3.18.0 Apache-2.0 https://mvnrepository.com/artifact/org.apache.commons/commons-text/1.4 Apache-2.0 https://mvnrepository.com/artifact/org.apache.curator/curator-client/4.3.0 Apache-2.0 @@ -330,10 +331,10 @@ The text of each license is the standard Apache 2.0 license. https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient/4.5.13 Apache-2.0 https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore/4.4.16 Apache-2.0 https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore-nio/4.4.16 Apache-2.0 - https://mvnrepository.com/artifact/org.apache.kafka/kafka-clients/3.4.0 Apache-2.0 - https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api/2.25.3 Apache-2.0 - https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.25.3 Apache-2.0 - https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-slf4j-impl/2.25.3 Apache-2.0 + https://mvnrepository.com/artifact/org.apache.kafka/kafka-clients/3.9.2 Apache-2.0 + https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api/2.25.4 Apache-2.0 + https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.25.4 Apache-2.0 + https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-slf4j-impl/2.25.4 Apache-2.0 https://mvnrepository.com/artifact/org.apache.yetus/audience-annotations/0.5.0 Apache-2.0 https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper/3.5.7 Apache-2.0 https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper-jute/3.5.7 Apache-2.0 @@ -349,11 +350,10 @@ The text of each license is the standard Apache 2.0 license. https://mvnrepository.com/artifact/org.jetbrains.kotlinx/kotlinx-coroutines-reactive/1.6.4 Apache-2.0 https://mvnrepository.com/artifact/org.jetbrains/annotations/13.0 Apache-2.0 https://mvnrepository.com/artifact/org.jspecify/jspecify/1.0.0 Apache-2.0 - https://mvnrepository.com/artifact/org.lz4/lz4-java/1.8.0 Apache-2.0 https://mvnrepository.com/artifact/org.slf4j/jcl-over-slf4j/1.7.30 Apache-2.0 https://mvnrepository.com/artifact/org.slf4j/log4j-over-slf4j/1.7.30 Apache-2.0 https://mvnrepository.com/artifact/org.snakeyaml/snakeyaml-engine/2.6 Apache-2.0 - https://mvnrepository.com/artifact/org.xerial.snappy/snappy-java/1.1.8.4 Apache-2.0 + https://mvnrepository.com/artifact/org.xerial.snappy/snappy-java/1.1.10.5 Apache-2.0 https://mvnrepository.com/artifact/org.yaml/snakeyaml/2.0 Apache-2.0 https://mvnrepository.com/artifact/tools.profiler/async-profiler-converter/3.0 Apache-2.0 @@ -363,7 +363,7 @@ BSD-2-Clause licenses The following components are provided under the BSD-2-Clause License. See project link for details. The text of each license is also included in licenses/LICENSE-[project].txt. - https://mvnrepository.com/artifact/org.postgresql/postgresql/42.4.4 BSD-2-Clause + https://mvnrepository.com/artifact/org.postgresql/postgresql/42.7.11 BSD-2-Clause ======================================================================== BSD-3-Clause licenses @@ -436,7 +436,7 @@ https://opensource.org/licenses/BSD-2-Clause;description=BSD 2-Clause License li The following components are provided under the https://opensource.org/licenses/BSD-2-Clause;description=BSD 2-Clause License License. See project link for details. The text of each license is also included in licenses/LICENSE-[project].txt. - https://mvnrepository.com/artifact/com.github.luben/zstd-jni/1.5.2-1 https://opensource.org/licenses/BSD-2-Clause;description=BSD 2-Clause License + https://mvnrepository.com/artifact/com.github.luben/zstd-jni/1.5.6-4 https://opensource.org/licenses/BSD-2-Clause;description=BSD 2-Clause License ======================================================================= The zipkin-lens.jar dependency has more front-end dependencies in it and the front-end dependencies' licenses diff --git a/docs/en/changes/changes.md b/docs/en/changes/changes.md index b30c394b83..b29883c663 100644 --- a/docs/en/changes/changes.md +++ b/docs/en/changes/changes.md @@ -290,6 +290,7 @@ * Fix: MAL `expPrefix` now applies to every metric source in `exp`, not just the leading one. Previously the prefix was spliced after the first `.`, so secondary metrics inside arguments (e.g. the divisor in `a.sum(['s']).safeDiv(b.sum(['s']))`) silently skipped the prefix — a rule like envoy-ai-gateway's `request_latency_avg` (`sum / count`) would tag-rewrite only the dividend. The injection is now AST-aware: every bare-IDENTIFIER metric source is wrapped, while downsampling-type consta [...] * Add `@Stream(allowBootReshape = true)` opt-in for additive boot-time reshape of BanyanDB streams / measures. Code-defined stream classes (e.g. `AlarmRecord`) can now annotate their schema as eligible for in-place additive update at OAP boot — a new `@Column` is appended to the live tag-family / fields via `client.update` instead of being silently rejected with `SKIPPED_SHAPE_MISMATCH` (which previously forced operators to drop the measure / stream and lose historical rows). Additive in [...] * Mask keywords `trustStorePass`, `keyStorePass` by default. +* Bump up dependencies to clear CVE alerts on shipped OAP jars: log4j `2.25.3` → `2.25.4`, jackson `2.18.5` → `2.18.6`, kafka-clients `3.4.0` → `3.9.2`, postgresql `42.4.4` → `42.7.11`, commons-compress `1.21` → `1.26.2`. #### UI * Add mobile menu icon and i18n labels for the iOS layer. diff --git a/oap-server-bom/pom.xml b/oap-server-bom/pom.xml index 06b1fa3cf5..7a08c4593b 100644 --- a/oap-server-bom/pom.xml +++ b/oap-server-bom/pom.xml @@ -29,7 +29,7 @@ <properties> <slf4j.version>1.7.30</slf4j.version> - <log4j.version>2.25.3</log4j.version> + <log4j.version>2.25.4</log4j.version> <google.error_prone_annotations>2.11.0</google.error_prone_annotations> <graphql-java-tools.version>13.0.1</graphql-java-tools.version> <graphql-java.version>21.5</graphql-java.version> @@ -49,7 +49,7 @@ <kubernetes.version>6.7.1</kubernetes.version> <hikaricp.version>3.1.0</hikaricp.version> <zipkin.version>2.24.1</zipkin.version> - <jackson.version>2.18.5</jackson.version> + <jackson.version>2.18.6</jackson.version> <jackson-databind.version>2.16.0</jackson-databind.version> <simpleclient.version>0.6.0</simpleclient.version> <apollo.version>1.8.0</apollo.version> @@ -64,16 +64,16 @@ <mvel.version>2.4.8.Final</mvel.version> <commons-beanutils.version>1.11.0</commons-beanutils.version> <flatbuffers-java.version>1.12.0</flatbuffers-java.version> - <postgresql.version>42.4.4</postgresql.version> + <postgresql.version>42.7.11</postgresql.version> <jetcd.version>0.6.1</jetcd.version> <testcontainers.version>1.17.6</testcontainers.version> <armeria.version>1.34.2</armeria.version> <awaitility.version>3.0.0</awaitility.version> <httpcore.version>4.4.16</httpcore.version> <httpasyncclient.version>4.1.5</httpasyncclient.version> - <commons-compress.version>1.21</commons-compress.version> + <commons-compress.version>1.26.2</commons-compress.version> <banyandb-java-client.version>0.9.2</banyandb-java-client.version> - <kafka-clients.version>3.4.0</kafka-clients.version> + <kafka-clients.version>3.9.2</kafka-clients.version> <spring-kafka-test.version>2.4.6.RELEASE</spring-kafka-test.version> <consul.client.version>1.5.3</consul.client.version> <commons-net.version>3.9.0</commons-net.version>
