This is an automated email from the ASF dual-hosted git repository.
wu-sheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking.git
The following commit(s) were added to refs/heads/master by this push:
new 2aa0e8502a Bump shipped OAP dependencies to clear CVE Dependabot
alerts (#13893)
2aa0e8502a is described below
commit 2aa0e8502a928c7066a01f864ee32122f12dfcae
Author: 吴晟 Wu Sheng <[email protected]>
AuthorDate: Mon Jun 8 09:47:11 2026 +0800
Bump shipped OAP dependencies to clear CVE Dependabot alerts (#13893)
Bump in oap-server-bom:
- log4j 2.25.3 -> 2.25.4
- jackson 2.18.5 -> 2.18.6
- kafka-clients 3.4.0 -> 3.9.2
- postgresql 42.4.4 -> 42.7.11
- commons-compress 1.21 -> 1.26.2
Regenerate dist-material/release-docs/LICENSE accordingly, including the
kafka-clients transitives: zstd-jni 1.5.6-4, snappy-java 1.1.10.5, and the
lz4-java groupId change org.lz4 -> at.yawk.lz4 1.10.1. Add a .licenserc.yaml
override so postgresql keeps its BSD-2-Clause classification (42.7.11 no
longer
text-matches the SPDX template, so license-eye otherwise falls back to the
raw
license URL).
The kafka-clients 3.9.2 bump also carries KAFKA-17078, fixing the SASL auth
crash on JDK 24+ (Closes #13849). Corrects the closed PR #13859, which
failed
the dependency-license check by not regenerating the LICENSE file.
---
.licenserc.yaml | 3 +++
dist-material/release-docs/LICENSE | 22 +++++++++++-----------
docs/en/changes/changes.md | 1 +
oap-server-bom/pom.xml | 10 +++++-----
4 files changed, 20 insertions(+), 16 deletions(-)
diff --git a/.licenserc.yaml b/.licenserc.yaml
index 3baa9e6fad..7a85203fda 100644
--- a/.licenserc.yaml
+++ b/.licenserc.yaml
@@ -123,6 +123,9 @@ dependency:
- name: com.github.luben:zstd-jni
version: 1.4.3-1
license: BSD-2-Clause
+ - name: org.postgresql:postgresql
+ version: 42.7.11
+ license: BSD-2-Clause
- name: org.antlr:antlr4-runtime
version: 4.11.1
license: BSD-3-Clause
diff --git a/dist-material/release-docs/LICENSE
b/dist-material/release-docs/LICENSE
index e9012606f6..614f378faa 100644
--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -189,6 +189,7 @@ Apache-2.0 licenses
========================================================================
The following components are provided under the Apache-2.0 License. See
project link for details.
The text of each license is the standard Apache 2.0 license.
+ https://mvnrepository.com/artifact/at.yawk.lz4/lz4-java/1.10.1 Apache-2.0
https://mvnrepository.com/artifact/build.buf.protoc-gen-validate/pgv-java-stub/1.3.0
Apache-2.0
https://mvnrepository.com/artifact/build.buf.protoc-gen-validate/protoc-gen-validate/1.3.0
Apache-2.0
https://mvnrepository.com/artifact/com.aayushatharva.brotli4j/brotli4j/1.20.0
Apache-2.0
@@ -198,8 +199,8 @@ The text of each license is the standard Apache 2.0 license.
https://mvnrepository.com/artifact/com.alibaba.nacos/nacos-encryption-plugin/2.3.2
Apache-2.0
https://mvnrepository.com/artifact/com.ctrip.framework.apollo/apollo-client/1.8.0
Apache-2.0
https://mvnrepository.com/artifact/com.ctrip.framework.apollo/apollo-core/1.8.0
Apache-2.0
-
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-annotations/2.18.5
Apache-2.0
-
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core/2.18.5
Apache-2.0
+
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-annotations/2.18.6
Apache-2.0
+
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core/2.18.6
Apache-2.0
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.16.0
Apache-2.0
https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.15.2
Apache-2.0
https://mvnrepository.com/artifact/com.fasterxml.jackson.datatype/jackson-datatype-guava/2.12.0
Apache-2.0
@@ -319,7 +320,7 @@ The text of each license is the standard Apache 2.0 license.
https://mvnrepository.com/artifact/javax.inject/javax.inject/1 Apache-2.0
https://mvnrepository.com/artifact/joda-time/joda-time/2.10.5 Apache-2.0
https://mvnrepository.com/artifact/net.jodah/failsafe/2.4.4 Apache-2.0
-
https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.21
Apache-2.0
+
https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.26.2
Apache-2.0
https://mvnrepository.com/artifact/org.apache.commons/commons-lang3/3.18.0
Apache-2.0
https://mvnrepository.com/artifact/org.apache.commons/commons-text/1.4
Apache-2.0
https://mvnrepository.com/artifact/org.apache.curator/curator-client/4.3.0
Apache-2.0
@@ -330,10 +331,10 @@ The text of each license is the standard Apache 2.0
license.
https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient/4.5.13
Apache-2.0
https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore/4.4.16
Apache-2.0
https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore-nio/4.4.16
Apache-2.0
- https://mvnrepository.com/artifact/org.apache.kafka/kafka-clients/3.4.0
Apache-2.0
-
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api/2.25.3
Apache-2.0
-
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.25.3
Apache-2.0
-
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-slf4j-impl/2.25.3
Apache-2.0
+ https://mvnrepository.com/artifact/org.apache.kafka/kafka-clients/3.9.2
Apache-2.0
+
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api/2.25.4
Apache-2.0
+
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.25.4
Apache-2.0
+
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-slf4j-impl/2.25.4
Apache-2.0
https://mvnrepository.com/artifact/org.apache.yetus/audience-annotations/0.5.0
Apache-2.0
https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper/3.5.7
Apache-2.0
https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper-jute/3.5.7
Apache-2.0
@@ -349,11 +350,10 @@ The text of each license is the standard Apache 2.0
license.
https://mvnrepository.com/artifact/org.jetbrains.kotlinx/kotlinx-coroutines-reactive/1.6.4
Apache-2.0
https://mvnrepository.com/artifact/org.jetbrains/annotations/13.0
Apache-2.0
https://mvnrepository.com/artifact/org.jspecify/jspecify/1.0.0 Apache-2.0
- https://mvnrepository.com/artifact/org.lz4/lz4-java/1.8.0 Apache-2.0
https://mvnrepository.com/artifact/org.slf4j/jcl-over-slf4j/1.7.30
Apache-2.0
https://mvnrepository.com/artifact/org.slf4j/log4j-over-slf4j/1.7.30
Apache-2.0
https://mvnrepository.com/artifact/org.snakeyaml/snakeyaml-engine/2.6
Apache-2.0
- https://mvnrepository.com/artifact/org.xerial.snappy/snappy-java/1.1.8.4
Apache-2.0
+ https://mvnrepository.com/artifact/org.xerial.snappy/snappy-java/1.1.10.5
Apache-2.0
https://mvnrepository.com/artifact/org.yaml/snakeyaml/2.0 Apache-2.0
https://mvnrepository.com/artifact/tools.profiler/async-profiler-converter/3.0
Apache-2.0
@@ -363,7 +363,7 @@ BSD-2-Clause licenses
The following components are provided under the BSD-2-Clause License. See
project link for details.
The text of each license is also included in licenses/LICENSE-[project].txt.
- https://mvnrepository.com/artifact/org.postgresql/postgresql/42.4.4
BSD-2-Clause
+ https://mvnrepository.com/artifact/org.postgresql/postgresql/42.7.11
BSD-2-Clause
========================================================================
BSD-3-Clause licenses
@@ -436,7 +436,7 @@
https://opensource.org/licenses/BSD-2-Clause;description=BSD 2-Clause License li
The following components are provided under the
https://opensource.org/licenses/BSD-2-Clause;description=BSD 2-Clause License
License. See project link for details.
The text of each license is also included in licenses/LICENSE-[project].txt.
- https://mvnrepository.com/artifact/com.github.luben/zstd-jni/1.5.2-1
https://opensource.org/licenses/BSD-2-Clause;description=BSD 2-Clause License
+ https://mvnrepository.com/artifact/com.github.luben/zstd-jni/1.5.6-4
https://opensource.org/licenses/BSD-2-Clause;description=BSD 2-Clause License
=======================================================================
The zipkin-lens.jar dependency has more front-end dependencies in it and the
front-end dependencies' licenses
diff --git a/docs/en/changes/changes.md b/docs/en/changes/changes.md
index b30c394b83..b29883c663 100644
--- a/docs/en/changes/changes.md
+++ b/docs/en/changes/changes.md
@@ -290,6 +290,7 @@
* Fix: MAL `expPrefix` now applies to every metric source in `exp`, not just
the leading one. Previously the prefix was spliced after the first `.`, so
secondary metrics inside arguments (e.g. the divisor in
`a.sum(['s']).safeDiv(b.sum(['s']))`) silently skipped the prefix — a rule like
envoy-ai-gateway's `request_latency_avg` (`sum / count`) would tag-rewrite only
the dividend. The injection is now AST-aware: every bare-IDENTIFIER metric
source is wrapped, while downsampling-type consta [...]
* Add `@Stream(allowBootReshape = true)` opt-in for additive boot-time reshape
of BanyanDB streams / measures. Code-defined stream classes (e.g.
`AlarmRecord`) can now annotate their schema as eligible for in-place additive
update at OAP boot — a new `@Column` is appended to the live tag-family /
fields via `client.update` instead of being silently rejected with
`SKIPPED_SHAPE_MISMATCH` (which previously forced operators to drop the measure
/ stream and lose historical rows). Additive in [...]
* Mask keywords `trustStorePass`, `keyStorePass` by default.
+* Bump up dependencies to clear CVE alerts on shipped OAP jars: log4j `2.25.3`
→ `2.25.4`, jackson `2.18.5` → `2.18.6`, kafka-clients `3.4.0` → `3.9.2`,
postgresql `42.4.4` → `42.7.11`, commons-compress `1.21` → `1.26.2`.
#### UI
* Add mobile menu icon and i18n labels for the iOS layer.
diff --git a/oap-server-bom/pom.xml b/oap-server-bom/pom.xml
index 06b1fa3cf5..7a08c4593b 100644
--- a/oap-server-bom/pom.xml
+++ b/oap-server-bom/pom.xml
@@ -29,7 +29,7 @@
<properties>
<slf4j.version>1.7.30</slf4j.version>
- <log4j.version>2.25.3</log4j.version>
+ <log4j.version>2.25.4</log4j.version>
<google.error_prone_annotations>2.11.0</google.error_prone_annotations>
<graphql-java-tools.version>13.0.1</graphql-java-tools.version>
<graphql-java.version>21.5</graphql-java.version>
@@ -49,7 +49,7 @@
<kubernetes.version>6.7.1</kubernetes.version>
<hikaricp.version>3.1.0</hikaricp.version>
<zipkin.version>2.24.1</zipkin.version>
- <jackson.version>2.18.5</jackson.version>
+ <jackson.version>2.18.6</jackson.version>
<jackson-databind.version>2.16.0</jackson-databind.version>
<simpleclient.version>0.6.0</simpleclient.version>
<apollo.version>1.8.0</apollo.version>
@@ -64,16 +64,16 @@
<mvel.version>2.4.8.Final</mvel.version>
<commons-beanutils.version>1.11.0</commons-beanutils.version>
<flatbuffers-java.version>1.12.0</flatbuffers-java.version>
- <postgresql.version>42.4.4</postgresql.version>
+ <postgresql.version>42.7.11</postgresql.version>
<jetcd.version>0.6.1</jetcd.version>
<testcontainers.version>1.17.6</testcontainers.version>
<armeria.version>1.34.2</armeria.version>
<awaitility.version>3.0.0</awaitility.version>
<httpcore.version>4.4.16</httpcore.version>
<httpasyncclient.version>4.1.5</httpasyncclient.version>
- <commons-compress.version>1.21</commons-compress.version>
+ <commons-compress.version>1.26.2</commons-compress.version>
<banyandb-java-client.version>0.9.2</banyandb-java-client.version>
- <kafka-clients.version>3.4.0</kafka-clients.version>
+ <kafka-clients.version>3.9.2</kafka-clients.version>
<spring-kafka-test.version>2.4.6.RELEASE</spring-kafka-test.version>
<consul.client.version>1.5.3</consul.client.version>
<commons-net.version>3.9.0</commons-net.version>