Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump avro to 1.11.3 #4024

Merged
merged 1 commit into from
Oct 5, 2023
Merged

Bump avro to 1.11.3 #4024

merged 1 commit into from
Oct 5, 2023

Conversation

li-boxuan
Copy link
Member

See CVE-2023-39410 for vulnerablity in avro 1.11.2 and below

Thank you for contributing to JanusGraph!

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

For all changes:

  • Is there an issue associated with this PR? Is it referenced in the commit message?
  • Does your PR body contain #xyz where xyz is the issue number you are trying to resolve?
  • Has your PR been rebased against the latest commit within the target branch (typically master)?
  • Is your initial contribution a single, squashed commit?

For code changes:

  • Have you written and/or updated unit tests to verify your changes?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • If applicable, have you updated the LICENSE.txt file, including the main LICENSE.txt file in the root of this repository?
  • If applicable, have you updated the NOTICE.txt file, including the main NOTICE.txt file found in the root of this repository?

For documentation related changes:

  • Have you ensured that format looks appropriate for the output in which it is rendered?

@li-boxuan
Bump avro to 1.11.3
6682469 
See CVE-2023-39410 for vulnerablity in avro 1.11.2 and below

Signed-off-by: Boxuan Li <[email protected]>
@li-boxuan li-boxuan added dependencies Pull requests that update a dependency file backport/v0.6 labels Oct 4, 2023
@janusgraph-bot janusgraph-bot added the cla: external Externally-managed CLA label Oct 4, 2023
FlorianHockmann
FlorianHockmann approved these changes Oct 4, 2023
View reviewed changes
pom.xml
@@ -768,7 +769,7 @@
<dependency>
<groupId>org.apache.avro</groupId>
<artifactId>avro</artifactId>
<version>1.11.1</version>
<version>${avro.version}</version>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really not important, but is there a specific reason for using a property for the version number here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah there's no specific reason. I just thought using a property would be the standard approach?

@li-boxuan li-boxuan added this to the Release v1.0.0 milestone Oct 5, 2023
@li-boxuan li-boxuan merged commit a70df84 into JanusGraph:master Oct 5, 2023
106 checks passed
@janusgraph-automations
Copy link

💔 All backports failed

Status Branch Result
v0.6 Backport failed because of merge conflicts

You might need to backport the following PRs to v0.6:
- Remove dangling netty dependency management
- Bump testcontainers.version from 1.19.0 to 1.19.1

Manual backport

To create the backport manually run:

backport --pr 4024

Questions ?

Please refer to the Backport tool documentation and see the Github Action logs for details

@li-boxuan li-boxuan mentioned this pull request Oct 5, 2023
Merged
@li-boxuan
Copy link
Member Author

💚 All backports created successfully

Status Branch Result
v0.6

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FlorianHockmann FlorianHockmann FlorianHockmann approved these changes

Assignees
No one assigned
Labels
backport/v0.6 cla: external Externally-managed CLA dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
Release v1.0.0
Development

Successfully merging this pull request may close these issues.
4 participants
@li-boxuan @janusgraph-automations @FlorianHockmann @janusgraph-bot