Potential security concern: CVEs from shaded netty dependencies in the 3.3.1 Uber jar on maven

[chere005]

The following potential CVEs were flagged in a security scan of the 3.3.1 Uber Jar located on Maven: https://mvnrepository.com/artifact/com.databricks/databricks-jdbc/3.3.1

Flagged in shaded jars: io.netty:netty-buffer:4.2.6.Final and io.netty:netty-common:4.2.6.Final

CVE-2026-33871 - https://nvd.nist.gov/vuln/detail/CVE-2026-33871
CVE-2026-33870 - https://nvd.nist.gov/vuln/detail/CVE-2026-33870
CVE-2025-67735 - https://nvd.nist.gov/vuln/detail/CVE-2025-67735

These primarily seem to be related to web servers in Netty and likely don't apply to the usage within the databricks-jdbc JAR itself, but either confirmation would be helpful, or updating to versions without CVEs would be greatly appreciated.

This may require bumping Arrow to a compatible version.. 19.0.0 has been released somewhat recently: https://mvnrepository.com/artifact/org.apache.arrow/arrow-jdbc/19.0.0

It seems to be compatible with the latest version (which has a CVE in test dependencies, but not runtime): https://mvnrepository.com/artifact/io.netty/netty-common/4.2.12.Final

Please let me know if there's any other way I can assist or any information I could provide