Re: [PR] Bump org.tukaani:xz from 1.10 to 1.12 [parquet-java]

[via GitHub]

Fokko merged PR #3417:
URL: https://github.com/apache/parquet-java/pull/3417


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@parquet.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: issues-unsubscr...@parquet.apache.org
For additional commands, e-mail: issues-h...@parquet.apache.org

[PR] Bump org.tukaani:xz from 1.10 to 1.12 [parquet-java]

[via GitHub]

dependabot[bot] opened a new pull request, #3417:
URL: https://github.com/apache/parquet-java/pull/3417

   Bumps [org.tukaani:xz](https://github.com/tukaani-project/xz-java) from 1.10 
to 1.12.
   
   Changelog
   Sourced from https://github.com/tukaani-project/xz-java/blob/master/NEWS.md";>org.tukaani:xz's
 changelog.
   
   1.12 (2026-03-01)
   
   
   Fix ArrayIndexOutOfBoundsException in the LZMA/LZMA2 encoder on
   x86-64 and ARM64 when running on Java 9 or newer. The affected
   code isn't used on Java 8. The bug is present in versions 1.10
   and 1.11. If one cannot upgrade, one should set the property
   org.tukaani.xz.MatchLengthFinder=Basic to disable the affected
   code path.
   
   
   Fix ArrayCache usage in LZMAInputStream. If ArrayCache was enabled,
   decompression was likely to fail quickly when the cache returns a
   cached array. ArrayCache is disabled by default.
   
   
   The binaries of 1.12 in the Maven Central require Java 8 and
   contain optimized classes for Java >= 9 as multi-release JAR.
   They were built with OpenJDK 21.0.10 on GNU/Linux and can be
   reproduced using the following command:
   SOURCE_DATE_EPOCH=177237 TZ=UTC0 ant maven
   
   
   
   1.11 (2025-11-19)
   
   
   Fix a data corruption bug when encoding with the rarely-used option
   LZMA2Options.MODE_UNCOMPRESSED. To trigger the bug, a 
write
   call must cross an offset that is a multiple of 65536 bytes.
   For example, one write of 7 bytes or two write 
calls of
   5 bytes each would trigger the bug. The bug isn't triggered
   if there are ten write calls of 8192 bytes each followed by one
   123-byte write.
   If encoding to a .xz file, a decoder would catch the issue because
   the integrity check wouldn't match.
   
   
   The binaries of 1.11 in the Maven Central require Java 8 and
   contain optimized classes for Java >= 9 as multi-release JAR.
   They were built with OpenJDK 21.0.9 on GNU/Linux and can be
   reproduced using the following command:
   SOURCE_DATE_EPOCH=1763575020 TZ=UTC0 ant maven
   
   
   
   
   
   
   Commits
   
   https://github.com/tukaani-project/xz-java/commit/107a519fac1e6789101ad9c234afe3dc407be7f5";>107a519
 Bump the version number to 1.12
   https://github.com/tukaani-project/xz-java/commit/3061152e66a8ea2cc6366fd5da21409b8a3d4788";>3061152
 Update NEWS.md for 1.12
   https://github.com/tukaani-project/xz-java/commit/0ecee25c1590dae305135317cf6e768f49093af7";>0ecee25
 Refactor EXTRA_SIZE to getExtraSize()
   https://github.com/tukaani-project/xz-java/commit/ac1aeb197dd8589dc6892f13f5ef68801383ec34";>ac1aeb1
 Fix ArrayIndexOutOfBoundsException in the LZMA/LZMA2 encoder
   https://github.com/tukaani-project/xz-java/commit/12c75fd1d06ef7db89335d3da1ca5bb91ab6ac0b";>12c75fd
 Fix ArrayCache usage with LZMAInputStream
   https://github.com/tukaani-project/xz-java/commit/e52d9ad621afcaa422668484bad91ce7ba0506ef";>e52d9ad
 SHA256SUMS: Add 1.11 files
   https://github.com/tukaani-project/xz-java/commit/9a755ec5335de00ce365b365b72e4683e591171f";>9a755ec
 CI: Add missing SPDX tags
   https://github.com/tukaani-project/xz-java/commit/eec2ad9de0525bbadeaabc7ba7c02ae9a7fceeec";>eec2ad9
 Bump the version number to 1.11
   https://github.com/tukaani-project/xz-java/commit/cd59206e5a7e7726f14b6bb4fb66b72d1dc3ee7d";>cd59206
 Update NEWS.md for 1.11
   https://github.com/tukaani-project/xz-java/commit/afd20a2daf3e8aea42c0a2ef794e9d8acc03561c";>afd20a2
 Omit the .github directory from releases
   Additional commits viewable in https://github.com/tukaani-project/xz-java/compare/v1.10...v1.12";>compare 
view
   
   
   
   
   
   [![Dependabot compatibility 
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.tukaani:xz&package-manager=maven&previous-version=1.10&new-version=1.12)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't 
alter it yourself. You can also trigger a rebase manually by commenting 
`@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   
   Dependabot commands and options
   
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that 
have been made to it
   - `@dependabot show  ignore conditions` will show all of 
the ignore conditions of the specified dependency
   - `@dependabot ignore this major version` will close this PR and stop 
Dependabot creating any more for this major version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this minor version` will close this PR and stop 
Dependabot creating any more for this minor version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this dependency` wil