wu-sheng opened a new pull request, #13893:
URL: https://github.com/apache/skywalking/pull/13893

   ### Fix dependency-license failure + clear CVE Dependabot alerts on shipped 
OAP jars (re-do of #13859)
   
   - [x] Explain briefly why the bug exists and how to fix it.
   
   Bumps the vulnerable dependencies that physically ship in the OAP 
distribution (`oap-libs`), clearing their Dependabot alerts:
   
   | dependency | old | new |
   |---|---|---|
   | `org.apache.logging.log4j:log4j-core` (+api/slf4j-impl) | 2.25.3 | 2.25.4 |
   | `com.fasterxml.jackson.core:jackson-core` (+annotations) | 2.18.5 | 2.18.6 
|
   | `org.apache.kafka:kafka-clients` | 3.4.0 | 3.9.2 |
   | `org.postgresql:postgresql` | 42.4.4 | 42.7.11 |
   | `org.apache.commons:commons-compress` | 1.21 | 1.26.2 |
   
   **Why the previous PR (#13859) failed and how this fixes it:** #13859 bumped 
only `oap-server-bom/pom.xml` + the changelog and failed the **Dependency 
licenses** check. Bumping `kafka-clients` changes its transitive compression 
libs, so `dist-material/release-docs/LICENSE` must be regenerated:
   
   - `com.github.luben:zstd-jni` 1.5.2-1 → 1.5.6-4
   - `org.xerial.snappy:snappy-java` 1.1.8.4 → 1.1.10.5
   - **`org.lz4:lz4-java` 1.8.0 → `at.yawk.lz4:lz4-java` 1.10.1** (Kafka 
switched to the maintained lz4 fork; groupId change, still Apache-2.0)
   
   The `LICENSE` file here was regenerated with the CI-pinned `license-eye` 
(`license-eye dependency resolve`), so the `dependency-license` job produces an 
empty diff. A `.licenserc.yaml` override is added so `postgresql` keeps its 
`BSD-2-Clause` classification — pgjdbc 42.7.11 reformatted its bundled license 
text so it no longer text-matches the SPDX template, and `license-eye` would 
otherwise emit the raw license URL as the license id.
   
   **Scope note:** `zookeeper` (3.5.7) and `okhttp` (3.14.9) are intentionally 
**not** bumped here — `zookeeper` 3.7.x needs a Curator-compatibility check and 
`okhttp` 3→4 is a major bump that would break `consul-client`/`retrofit2`. Both 
are unreachable in a default deployment (opt-in cluster/storage selectors) and 
are tracked separately.
   
   **Compatibility:** the full `flatten:flatten install` build passes with all 
bumps. The `kafka-clients` 3.9.2 bump also carries KAFKA-17078, fixing the SASL 
auth crash on JDK 24+.
   
   - [x] If this pull request closes/resolves/fixes an existing issue, replace 
the issue number. Closes #13849.
   - [x] Update the [`CHANGES` 
log](https://github.com/apache/skywalking/blob/master/docs/en/changes/changes.md).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to