wu-sheng opened a new pull request, #13913:
URL: https://github.com/apache/skywalking/pull/13913

   This clears the actionable, non-Go Dependabot alerts on `master`. (The Go 
e2e-fixture alerts require a Go 1.24 agent toolchain and are handled separately 
via skywalking-go image work + an e2e follow-up.)
   
   ### Shipped product (oap-server-bom + LICENSE + docs)
   - **Apache Curator `4.3.0` → `5.9.0`** (+ `curator-test`) and **Apache 
ZooKeeper `3.5.7` → `3.9.5`**, bumped together — Curator 5.x is the line that 
carries the ZK 3.9.x client. Clears **CVE-2023-44981** (critical). OAP is a 
ZooKeeper *client* only, so the server-side bug was never reachable, but the 
bundled jar tripped Dependabot. The cluster-zookeeper and 
configuration-zookeeper plugins use only stable Curator APIs, so no source 
changes were required. Operator-facing change: supported ZooKeeper server 
version is now 3.5+ (3.4.x dropped by Curator 5.x). 
`dist-material/release-docs/LICENSE` regenerated (curator ×4, zookeeper + jute, 
audience-annotations); `application.yml` + `backend-cluster.md` updated.
   
   ### Build/test scope
   - **assertj-core `3.20.2` → `3.27.7`** — clears CVE-2026-24400 (XXE in 
`isXmlEqualTo`, unused), test scope.
   
   ### e2e test fixtures (`test/e2e-v2`, never shipped)
   - guava → `32.0.0-jre`, kafka-clients → `3.9.2` (+ removed a stale unused 
`2.4.1` property), log4j-core → `2.25.4`, logback → `1.2.13` (the Java-8 line, 
not Dependabot's JDK-11 `1.4.12`), json-path → `2.9.0`, flask → `3.1.3`, 
protobuf → `4.25.8`.
   
   ### Validation
   - Full `clean install` of the reactor (BOM change) ✓; cluster-zookeeper + 
configuration-zookeeper plugin tests ✓ on Curator 5.9.0 / ZK 3.9.5; 
`java-test-service` e2e reactor compiles against the bumped deps ✓; checkstyle 
+ license-header preflight ✓.
   
   <!-- not a bug/feature/perf — dependency/CVE maintenance -->
   - [ ] If this pull request closes/resolves/fixes an existing issue, replace 
the issue number. Closes #NNNN.
   - [x] Update the [`CHANGES` 
log](https://github.com/apache/skywalking/blob/master/docs/en/changes/changes.md).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to