Hi Spark Developers, I hope you are all having a good week.
I recently opened [https://issues.apache.org/jira/browse/SPARK-57343] regarding outdated dependencies bundled within the PySpark distribution on PyPI. Currently, the pyspark pip package bundles pre-compiled JARs for Netty (4.2.7.Final) and ZooKeeper (3.9.4) into the site-packages/pyspark/jars/ directory. Because these specific versions are flagged for recent High/Critical CVEs (including CVE-2026-44249 for Netty and CVE-2026-24281 for ZooKeeper), standard enterprise container security scanners (like Prisma Cloud) are forcefully failing immutable Docker image builds when pyspark is installed. Because downstream users cannot surgically delete or swap these bundled JARs in locked CI/CD pipelines without risking PySpark instability, we are currently blocked from deploying the latest PySpark releases. The Request: Could we look into bumping the internal Maven build properties for PySpark to pull the latest secure patches before the next release cycle? * io.netty:* -> 4.2.15.Final * org.apache.zookeeper:zookeeper -> 3.9.5 All the specific CVE details and file paths are attached to the Jira ticket for reference. Thank you for your time and for all the hard work you put into maintaining Spark! Regards, Shahnoor ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security, AI-powered support capabilities, and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. ______________________________________________________________________________________ www.accenture.com
