Thank you for flagging this Jim. I looked a little into this and it comes from the fabric8 client, so it affects all current operator (and flink) versions.
I think it would be a bit risky for us to manually bump this dependency as the usage is not controlled by us and it's hard to test for all the consequences of this major version change in the http client. Also it seems that this vulnerability would require direct user access to the http client, which is not the case here. At this point I think we should not consider this a blocker, I have also commented on the jira ticket. Gyula On Thu, Jul 21, 2022 at 6:27 PM Jim Busche <jbus...@us.ibm.com> wrote: > Thanks for the release > > I’m continuing to test and so far it’s looking good, but I found a high > security vulnerability in the > /flink-kubernetes-operator/flink-kubernetes-operator-1.1.0-shaded.jar > file. I’ve created issue FLINK-28637< > https://issues.apache.org/jira/browse/FLINK-28637> and seeing if I can > successfully upgrade to the newer okhttp version. > > > > Thanks, Jim >
