wu-sheng opened a new pull request, #13893: URL: https://github.com/apache/skywalking/pull/13893
### Fix dependency-license failure + clear CVE Dependabot alerts on shipped OAP jars (re-do of #13859) - [x] Explain briefly why the bug exists and how to fix it. Bumps the vulnerable dependencies that physically ship in the OAP distribution (`oap-libs`), clearing their Dependabot alerts: | dependency | old | new | |---|---|---| | `org.apache.logging.log4j:log4j-core` (+api/slf4j-impl) | 2.25.3 | 2.25.4 | | `com.fasterxml.jackson.core:jackson-core` (+annotations) | 2.18.5 | 2.18.6 | | `org.apache.kafka:kafka-clients` | 3.4.0 | 3.9.2 | | `org.postgresql:postgresql` | 42.4.4 | 42.7.11 | | `org.apache.commons:commons-compress` | 1.21 | 1.26.2 | **Why the previous PR (#13859) failed and how this fixes it:** #13859 bumped only `oap-server-bom/pom.xml` + the changelog and failed the **Dependency licenses** check. Bumping `kafka-clients` changes its transitive compression libs, so `dist-material/release-docs/LICENSE` must be regenerated: - `com.github.luben:zstd-jni` 1.5.2-1 → 1.5.6-4 - `org.xerial.snappy:snappy-java` 1.1.8.4 → 1.1.10.5 - **`org.lz4:lz4-java` 1.8.0 → `at.yawk.lz4:lz4-java` 1.10.1** (Kafka switched to the maintained lz4 fork; groupId change, still Apache-2.0) The `LICENSE` file here was regenerated with the CI-pinned `license-eye` (`license-eye dependency resolve`), so the `dependency-license` job produces an empty diff. A `.licenserc.yaml` override is added so `postgresql` keeps its `BSD-2-Clause` classification — pgjdbc 42.7.11 reformatted its bundled license text so it no longer text-matches the SPDX template, and `license-eye` would otherwise emit the raw license URL as the license id. **Scope note:** `zookeeper` (3.5.7) and `okhttp` (3.14.9) are intentionally **not** bumped here — `zookeeper` 3.7.x needs a Curator-compatibility check and `okhttp` 3→4 is a major bump that would break `consul-client`/`retrofit2`. Both are unreachable in a default deployment (opt-in cluster/storage selectors) and are tracked separately. **Compatibility:** the full `flatten:flatten install` build passes with all bumps. The `kafka-clients` 3.9.2 bump also carries KAFKA-17078, fixing the SASL auth crash on JDK 24+. - [x] If this pull request closes/resolves/fixes an existing issue, replace the issue number. Closes #13849. - [x] Update the [`CHANGES` log](https://github.com/apache/skywalking/blob/master/docs/en/changes/changes.md). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
