wu-sheng opened a new pull request, #13913: URL: https://github.com/apache/skywalking/pull/13913
This clears the actionable, non-Go Dependabot alerts on `master`. (The Go e2e-fixture alerts require a Go 1.24 agent toolchain and are handled separately via skywalking-go image work + an e2e follow-up.) ### Shipped product (oap-server-bom + LICENSE + docs) - **Apache Curator `4.3.0` → `5.9.0`** (+ `curator-test`) and **Apache ZooKeeper `3.5.7` → `3.9.5`**, bumped together — Curator 5.x is the line that carries the ZK 3.9.x client. Clears **CVE-2023-44981** (critical). OAP is a ZooKeeper *client* only, so the server-side bug was never reachable, but the bundled jar tripped Dependabot. The cluster-zookeeper and configuration-zookeeper plugins use only stable Curator APIs, so no source changes were required. Operator-facing change: supported ZooKeeper server version is now 3.5+ (3.4.x dropped by Curator 5.x). `dist-material/release-docs/LICENSE` regenerated (curator ×4, zookeeper + jute, audience-annotations); `application.yml` + `backend-cluster.md` updated. ### Build/test scope - **assertj-core `3.20.2` → `3.27.7`** — clears CVE-2026-24400 (XXE in `isXmlEqualTo`, unused), test scope. ### e2e test fixtures (`test/e2e-v2`, never shipped) - guava → `32.0.0-jre`, kafka-clients → `3.9.2` (+ removed a stale unused `2.4.1` property), log4j-core → `2.25.4`, logback → `1.2.13` (the Java-8 line, not Dependabot's JDK-11 `1.4.12`), json-path → `2.9.0`, flask → `3.1.3`, protobuf → `4.25.8`. ### Validation - Full `clean install` of the reactor (BOM change) ✓; cluster-zookeeper + configuration-zookeeper plugin tests ✓ on Curator 5.9.0 / ZK 3.9.5; `java-test-service` e2e reactor compiles against the bumped deps ✓; checkstyle + license-header preflight ✓. <!-- not a bug/feature/perf — dependency/CVE maintenance --> - [ ] If this pull request closes/resolves/fixes an existing issue, replace the issue number. Closes #NNNN. - [x] Update the [`CHANGES` log](https://github.com/apache/skywalking/blob/master/docs/en/changes/changes.md). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
