humashankar26 opened a new pull request, #6295: URL: https://github.com/apache/hive/pull/6295
What changes were proposed in this pull request? This PR upgrades the slf4j-api dependency from 1.7.30 to 2.0.13. Because Hive is a large multi-module project, I’ve applied the update in the following key areas to ensure the new version is forced everywhere: The root pom.xml (global version management). standalone-metastore/pom.xml (to ensure the metastore doesn't pull in older versions independently). storage-api/pom.xml (to align the storage layer with the new API). I also verified that transitive dependencies (like those coming from Hadoop or ORC) are being correctly "managed" (overridden) by this new version. Why are the changes needed? The primary goal is to address CVE-2022-2047 and other related security vulnerabilities found in older versions of the SLF4J library. Beyond security, version 2.0.13 fixes a long-standing bug (SLF4J Issue 409) where logs would sometimes report incorrect line numbers or class names. Upgrading also moves Hive toward the modern Java ServiceLoader mechanism for logging, which is more stable than the old static binder approach used in the 1.7.x line. Does this PR introduce any user-facing change? No. This is a backend dependency update. Users shouldn't notice any change in behavior, though developers may notice more accurate source-location reporting in the logs during debugging. How was this patch tested? Since this is a dependency change, I focused on build integrity and dependency convergence: Dependency Tree Audit: Ran mvn dependency:tree -Dincludes='org.slf4j:*' across the entire project. Verified that all modules (including the tricky ones like hive-exec and metastore-server) are now resolving to version 2.0.13. Local Build: Successfully ran a clean build (mvn clean install -DskipTests) to ensure no compilation errors were introduced by the 2.x API changes. Security Scan: Verified the fix using the OWASP Dependency-Check tool. The report confirmed that slf4j-api is no longer flagged for known vulnerabilities. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
