Skip to content

[chore](dep)Upgrade dependencies#64208

Open
CalvinKirs wants to merge 1 commit into
apache:masterfrom
CalvinKirs:rich-master-dependency-cve-fix-20260608
Open

[chore](dep)Upgrade dependencies#64208
CalvinKirs wants to merge 1 commit into
apache:masterfrom
CalvinKirs:rich-master-dependency-cve-fix-20260608

Conversation

@CalvinKirs
Copy link
Copy Markdown
Member

@CalvinKirs CalvinKirs commented Jun 8, 2026
edited
Loading

Summary

Upgrade FE dependency versions for dependency scan findings:

  • Exclude transitive dependencies from hive-exec in fe/hive-udf:
    • org.apache.calcite:calcite-core
    • org.apache.calcite:calcite-druid
    • log4j:log4j
  • Upgrade Netty managed version from 4.1.132.Final to 4.2.15.Final, covering Netty BOM-managed jars such as netty-codec-memcache, netty-codec-mqtt, and netty-transport.
  • Upgrade Azure SDK BOM from 1.3.4 to 1.3.7, updating:
    • azure-storage-blob 12.33.1 -> 12.34.0
    • azure-core 1.57.1 -> 1.58.0
    • azure-core-http-netty 1.16.3 -> 1.16.4
    • azure-storage-common 12.32.1 -> 12.33.0
    • azure-storage-internal-avro 12.18.1 -> 12.19.0
    • azure-identity 1.18.2 -> 1.18.3
  • Override Azure transitive dependencies:
    • msal4j 1.23.1 -> 1.25.0
    • azure-keyvault-core 1.0.0 -> 1.2.6
  • Manage commons-net:commons-net to 3.13.0, replacing older transitive resolutions such as 3.6 from the Hive/Hadoop path and 3.9.0 from Hadoop common.

Validation

  • mvn -pl :fe-core,:fe-filesystem-azure -am dependency:tree -Dincludes=io.netty -DskipTests
  • mvn -pl :fe-core,:fe-filesystem-azure -am dependency:tree -Dincludes=com.azure,com.microsoft.azure -Dverbose -DskipTests
  • mvn -pl :hive-udf -am dependency:tree -Dincludes=log4j:log4j -Dverbose -DskipTests
  • mvn -pl :hive-udf -am dependency:tree -Dincludes=commons-net:commons-net -Dverbose -DskipTests
  • env DORIS_THIRDPARTY=/mnt/disk1/gq/idea/incubator-doris/thirdparty mvn -pl :fe-core,:fe-filesystem-azure -am package -DskipTests
  • env DORIS_THIRDPARTY=/mnt/disk1/gq/idea/incubator-doris/thirdparty mvn -pl :hive-udf -am package -DskipTests
  • FE dependency-check scan

@CalvinKirs CalvinKirs requested a review from morningman as a code owner June 8, 2026 07:31
@hello-stephen
Copy link
Copy Markdown
Contributor

hello-stephen commented Jun 8, 2026

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@CalvinKirs CalvinKirs force-pushed the rich-master-dependency-cve-fix-20260608 branch 2 times, most recently from cdaf776 to 4543942 Compare June 8, 2026 09:21
@CalvinKirs CalvinKirs force-pushed the rich-master-dependency-cve-fix-20260608 branch from 4543942 to 2a99c81 Compare June 8, 2026 10:14
@CalvinKirs
Copy link
Copy Markdown
Member Author

CalvinKirs commented Jun 8, 2026

run buildall

@hello-stephen
Copy link
Copy Markdown
Contributor

hello-stephen commented Jun 8, 2026

FE Regression Coverage Report

Increment line coverage 0.00% (0/106) 🎉
Increment coverage report
Complete coverage report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@morningman morningman Awaiting requested review from morningman morningman is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CalvinKirs @hello-stephen