Describe the bug
As seem on https://mvnrepository.com/artifact/com.databricks/databricks-jdbc-thin/3.3.3/dependencies, the thin version still uses at.yawk.lz4:lz4-java, and one with a CVE (CVE-2025-66566).
However looking at the project's source code on main it's using org.lz4:lz4-java
|
<version>${lz4-compression.version}</version> |
To Reproduce
Add databricks-jdbc-thin latest version as a dependency or look at maven central.
Expected behavior
To use an updated version of at.yawk.lz4:lz4-java without the vulnerability or org.lz4:lz4-java
Screenshots
Not applicable
Client side logs
Not applicable
Client Environment (please complete the following information):
- OS: Windows
- Java version: 25
- Java vendor Corretto
- Driver Version 3.3.3 databricks-jdbc-thin
- BI Tool (if used) not applicable
- BI Tool version not applicable
Additional context
not applicable
Describe the bug
As seem on https://mvnrepository.com/artifact/com.databricks/databricks-jdbc-thin/3.3.3/dependencies, the thin version still uses at.yawk.lz4:lz4-java, and one with a CVE (CVE-2025-66566).
However looking at the project's source code on main it's using org.lz4:lz4-java
databricks-jdbc/jdbc-core/pom.xml
Line 176 in 9a366d3
To Reproduce
Add databricks-jdbc-thin latest version as a dependency or look at maven central.
Expected behavior
To use an updated version of at.yawk.lz4:lz4-java without the vulnerability or org.lz4:lz4-java
Screenshots
Not applicable
Client side logs
Not applicable
Client Environment (please complete the following information):
Additional context
not applicable