orbisai0security commented on PR #56344: URL: https://github.com/apache/spark/pull/56344#issuecomment-4787796207
Thanks for the pointer You're right, the diff is identical to #53039, and @dongjoon-hyun's reasoning from November 2025 still holds: since Spark 4.0.0, `okhttp3` is no longer part of the binary distribution, so the CVE-2021-0341 exposure for most users is effectively zero. I'll concede that this PR doesn't add value for Spark 4.x users. That said, I'd like to raise two questions for maintainer consideration: 1. **Spark 3.x branches**: Is there an active maintenance branch (e.g., `branch-3.5`) where `okhttp3` is still included in the distribution? If so, a targeted backport to that branch might be worthwhile rather than targeting `master`. 2. **Documentation / scanner guidance**: For downstream users who build Spark themselves or include `hadoop-cloud` in their own distributions and hit this CVE in their scanners, would it be appropriate to note the `huaweicloud-provided` Maven profile (SPARK-53590) more prominently in the docs or release notes? If neither of those is in scope, I'm happy to close this PR. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
