This is an automated email from the ASF dual-hosted git repository.

wu-sheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking.git


The following commit(s) were added to refs/heads/master by this push:
     new 2aa0e8502a Bump shipped OAP dependencies to clear CVE Dependabot 
alerts (#13893)
2aa0e8502a is described below

commit 2aa0e8502a928c7066a01f864ee32122f12dfcae
Author: 吴晟 Wu Sheng <[email protected]>
AuthorDate: Mon Jun 8 09:47:11 2026 +0800

    Bump shipped OAP dependencies to clear CVE Dependabot alerts (#13893)
    
    Bump in oap-server-bom:
    - log4j         2.25.3 -> 2.25.4
    - jackson       2.18.5 -> 2.18.6
    - kafka-clients 3.4.0  -> 3.9.2
    - postgresql    42.4.4 -> 42.7.11
    - commons-compress 1.21 -> 1.26.2
    
    Regenerate dist-material/release-docs/LICENSE accordingly, including the
    kafka-clients transitives: zstd-jni 1.5.6-4, snappy-java 1.1.10.5, and the
    lz4-java groupId change org.lz4 -> at.yawk.lz4 1.10.1. Add a .licenserc.yaml
    override so postgresql keeps its BSD-2-Clause classification (42.7.11 no 
longer
    text-matches the SPDX template, so license-eye otherwise falls back to the 
raw
    license URL).
    
    The kafka-clients 3.9.2 bump also carries KAFKA-17078, fixing the SASL auth
    crash on JDK 24+ (Closes #13849). Corrects the closed PR #13859, which 
failed
    the dependency-license check by not regenerating the LICENSE file.
---
 .licenserc.yaml                    |  3 +++
 dist-material/release-docs/LICENSE | 22 +++++++++++-----------
 docs/en/changes/changes.md         |  1 +
 oap-server-bom/pom.xml             | 10 +++++-----
 4 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/.licenserc.yaml b/.licenserc.yaml
index 3baa9e6fad..7a85203fda 100644
--- a/.licenserc.yaml
+++ b/.licenserc.yaml
@@ -123,6 +123,9 @@ dependency:
     - name: com.github.luben:zstd-jni
       version: 1.4.3-1
       license: BSD-2-Clause
+    - name: org.postgresql:postgresql
+      version: 42.7.11
+      license: BSD-2-Clause
     - name: org.antlr:antlr4-runtime
       version: 4.11.1
       license: BSD-3-Clause
diff --git a/dist-material/release-docs/LICENSE 
b/dist-material/release-docs/LICENSE
index e9012606f6..614f378faa 100644
--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -189,6 +189,7 @@ Apache-2.0 licenses
 ========================================================================
 The following components are provided under the Apache-2.0 License. See 
project link for details.
 The text of each license is the standard Apache 2.0 license.
+    https://mvnrepository.com/artifact/at.yawk.lz4/lz4-java/1.10.1 Apache-2.0
     
https://mvnrepository.com/artifact/build.buf.protoc-gen-validate/pgv-java-stub/1.3.0
 Apache-2.0
     
https://mvnrepository.com/artifact/build.buf.protoc-gen-validate/protoc-gen-validate/1.3.0
 Apache-2.0
     
https://mvnrepository.com/artifact/com.aayushatharva.brotli4j/brotli4j/1.20.0 
Apache-2.0
@@ -198,8 +199,8 @@ The text of each license is the standard Apache 2.0 license.
     
https://mvnrepository.com/artifact/com.alibaba.nacos/nacos-encryption-plugin/2.3.2
 Apache-2.0
     
https://mvnrepository.com/artifact/com.ctrip.framework.apollo/apollo-client/1.8.0
 Apache-2.0
     
https://mvnrepository.com/artifact/com.ctrip.framework.apollo/apollo-core/1.8.0 
Apache-2.0
-    
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-annotations/2.18.5
 Apache-2.0
-    
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core/2.18.5
 Apache-2.0
+    
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-annotations/2.18.6
 Apache-2.0
+    
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core/2.18.6
 Apache-2.0
     
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.16.0
 Apache-2.0
     
https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.15.2
 Apache-2.0
     
https://mvnrepository.com/artifact/com.fasterxml.jackson.datatype/jackson-datatype-guava/2.12.0
 Apache-2.0
@@ -319,7 +320,7 @@ The text of each license is the standard Apache 2.0 license.
     https://mvnrepository.com/artifact/javax.inject/javax.inject/1 Apache-2.0
     https://mvnrepository.com/artifact/joda-time/joda-time/2.10.5 Apache-2.0
     https://mvnrepository.com/artifact/net.jodah/failsafe/2.4.4 Apache-2.0
-    
https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.21 
Apache-2.0
+    
https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.26.2 
Apache-2.0
     https://mvnrepository.com/artifact/org.apache.commons/commons-lang3/3.18.0 
Apache-2.0
     https://mvnrepository.com/artifact/org.apache.commons/commons-text/1.4 
Apache-2.0
     https://mvnrepository.com/artifact/org.apache.curator/curator-client/4.3.0 
Apache-2.0
@@ -330,10 +331,10 @@ The text of each license is the standard Apache 2.0 
license.
     
https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient/4.5.13 
Apache-2.0
     
https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore/4.4.16 
Apache-2.0
     
https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore-nio/4.4.16
 Apache-2.0
-    https://mvnrepository.com/artifact/org.apache.kafka/kafka-clients/3.4.0 
Apache-2.0
-    
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api/2.25.3 
Apache-2.0
-    
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.25.3 
Apache-2.0
-    
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-slf4j-impl/2.25.3
 Apache-2.0
+    https://mvnrepository.com/artifact/org.apache.kafka/kafka-clients/3.9.2 
Apache-2.0
+    
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api/2.25.4 
Apache-2.0
+    
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.25.4 
Apache-2.0
+    
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-slf4j-impl/2.25.4
 Apache-2.0
     
https://mvnrepository.com/artifact/org.apache.yetus/audience-annotations/0.5.0 
Apache-2.0
     https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper/3.5.7 
Apache-2.0
     
https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper-jute/3.5.7 
Apache-2.0
@@ -349,11 +350,10 @@ The text of each license is the standard Apache 2.0 
license.
     
https://mvnrepository.com/artifact/org.jetbrains.kotlinx/kotlinx-coroutines-reactive/1.6.4
 Apache-2.0
     https://mvnrepository.com/artifact/org.jetbrains/annotations/13.0 
Apache-2.0
     https://mvnrepository.com/artifact/org.jspecify/jspecify/1.0.0 Apache-2.0
-    https://mvnrepository.com/artifact/org.lz4/lz4-java/1.8.0 Apache-2.0
     https://mvnrepository.com/artifact/org.slf4j/jcl-over-slf4j/1.7.30 
Apache-2.0
     https://mvnrepository.com/artifact/org.slf4j/log4j-over-slf4j/1.7.30 
Apache-2.0
     https://mvnrepository.com/artifact/org.snakeyaml/snakeyaml-engine/2.6 
Apache-2.0
-    https://mvnrepository.com/artifact/org.xerial.snappy/snappy-java/1.1.8.4 
Apache-2.0
+    https://mvnrepository.com/artifact/org.xerial.snappy/snappy-java/1.1.10.5 
Apache-2.0
     https://mvnrepository.com/artifact/org.yaml/snakeyaml/2.0 Apache-2.0
     
https://mvnrepository.com/artifact/tools.profiler/async-profiler-converter/3.0 
Apache-2.0
 
@@ -363,7 +363,7 @@ BSD-2-Clause licenses
 The following components are provided under the BSD-2-Clause License. See 
project link for details.
 The text of each license is also included in licenses/LICENSE-[project].txt.
 
-    https://mvnrepository.com/artifact/org.postgresql/postgresql/42.4.4 
BSD-2-Clause
+    https://mvnrepository.com/artifact/org.postgresql/postgresql/42.7.11 
BSD-2-Clause
 
 ========================================================================
 BSD-3-Clause licenses
@@ -436,7 +436,7 @@ 
https://opensource.org/licenses/BSD-2-Clause;description=BSD 2-Clause License li
 The following components are provided under the 
https://opensource.org/licenses/BSD-2-Clause;description=BSD 2-Clause License 
License. See project link for details.
 The text of each license is also included in licenses/LICENSE-[project].txt.
 
-    https://mvnrepository.com/artifact/com.github.luben/zstd-jni/1.5.2-1 
https://opensource.org/licenses/BSD-2-Clause;description=BSD 2-Clause License
+    https://mvnrepository.com/artifact/com.github.luben/zstd-jni/1.5.6-4 
https://opensource.org/licenses/BSD-2-Clause;description=BSD 2-Clause License
 
 =======================================================================
 The zipkin-lens.jar dependency has more front-end dependencies in it and the 
front-end dependencies' licenses
diff --git a/docs/en/changes/changes.md b/docs/en/changes/changes.md
index b30c394b83..b29883c663 100644
--- a/docs/en/changes/changes.md
+++ b/docs/en/changes/changes.md
@@ -290,6 +290,7 @@
 * Fix: MAL `expPrefix` now applies to every metric source in `exp`, not just 
the leading one. Previously the prefix was spliced after the first `.`, so 
secondary metrics inside arguments (e.g. the divisor in 
`a.sum(['s']).safeDiv(b.sum(['s']))`) silently skipped the prefix — a rule like 
envoy-ai-gateway's `request_latency_avg` (`sum / count`) would tag-rewrite only 
the dividend. The injection is now AST-aware: every bare-IDENTIFIER metric 
source is wrapped, while downsampling-type consta [...]
 * Add `@Stream(allowBootReshape = true)` opt-in for additive boot-time reshape 
of BanyanDB streams / measures. Code-defined stream classes (e.g. 
`AlarmRecord`) can now annotate their schema as eligible for in-place additive 
update at OAP boot — a new `@Column` is appended to the live tag-family / 
fields via `client.update` instead of being silently rejected with 
`SKIPPED_SHAPE_MISMATCH` (which previously forced operators to drop the measure 
/ stream and lose historical rows). Additive in [...]
 * Mask keywords `trustStorePass`, `keyStorePass` by default.
+* Bump up dependencies to clear CVE alerts on shipped OAP jars: log4j `2.25.3` 
→ `2.25.4`, jackson `2.18.5` → `2.18.6`, kafka-clients `3.4.0` → `3.9.2`, 
postgresql `42.4.4` → `42.7.11`, commons-compress `1.21` → `1.26.2`.
 
 #### UI
 * Add mobile menu icon and i18n labels for the iOS layer.
diff --git a/oap-server-bom/pom.xml b/oap-server-bom/pom.xml
index 06b1fa3cf5..7a08c4593b 100644
--- a/oap-server-bom/pom.xml
+++ b/oap-server-bom/pom.xml
@@ -29,7 +29,7 @@
 
     <properties>
         <slf4j.version>1.7.30</slf4j.version>
-        <log4j.version>2.25.3</log4j.version>
+        <log4j.version>2.25.4</log4j.version>
         <google.error_prone_annotations>2.11.0</google.error_prone_annotations>
         <graphql-java-tools.version>13.0.1</graphql-java-tools.version>
         <graphql-java.version>21.5</graphql-java.version>
@@ -49,7 +49,7 @@
         <kubernetes.version>6.7.1</kubernetes.version>
         <hikaricp.version>3.1.0</hikaricp.version>
         <zipkin.version>2.24.1</zipkin.version>
-        <jackson.version>2.18.5</jackson.version>
+        <jackson.version>2.18.6</jackson.version>
         <jackson-databind.version>2.16.0</jackson-databind.version>
         <simpleclient.version>0.6.0</simpleclient.version>
         <apollo.version>1.8.0</apollo.version>
@@ -64,16 +64,16 @@
         <mvel.version>2.4.8.Final</mvel.version>
         <commons-beanutils.version>1.11.0</commons-beanutils.version>
         <flatbuffers-java.version>1.12.0</flatbuffers-java.version>
-        <postgresql.version>42.4.4</postgresql.version>
+        <postgresql.version>42.7.11</postgresql.version>
         <jetcd.version>0.6.1</jetcd.version>
         <testcontainers.version>1.17.6</testcontainers.version>
         <armeria.version>1.34.2</armeria.version>
         <awaitility.version>3.0.0</awaitility.version>
         <httpcore.version>4.4.16</httpcore.version>
         <httpasyncclient.version>4.1.5</httpasyncclient.version>
-        <commons-compress.version>1.21</commons-compress.version>
+        <commons-compress.version>1.26.2</commons-compress.version>
         <banyandb-java-client.version>0.9.2</banyandb-java-client.version>
-        <kafka-clients.version>3.4.0</kafka-clients.version>
+        <kafka-clients.version>3.9.2</kafka-clients.version>
         <spring-kafka-test.version>2.4.6.RELEASE</spring-kafka-test.version>
         <consul.client.version>1.5.3</consul.client.version>
         <commons-net.version>3.9.0</commons-net.version>

Reply via email to