tomncooper opened a new pull request, #25602: URL: https://github.com/apache/flink/pull/25602
## What is the purpose of the change There is a high severity CVE ([CVE-2023-1370](https://nvd.nist.gov/vuln/detail/CVE-2023-1370)) in the json-path version used by Calcite 1.32 used in the `flink-table-calcite-bridge` module. Newer versions of Calcite update to newer versions of `json-path`. However, updating Calcite to the latest version ([FLINK-36602](https://issues.apache.org/jira/browse/FLINK-36602)) is not straightforward and involves changes to the SQL parsing logic. Following [discussion](https://lists.apache.org/thread/7ogwvj5z3o176dw95145dzvlolrkyps4) on the dev mailing list, an incremental Calcite upgrade process is preferred. Therefore, this PR simply patches the transitive dependency. ## Brief change log This PR overrides the specific transitive `json-path` (version 2.7.0) dependency in the `flink-table-calcite-bridge` pom file to version 2.9.0. ## Verifying this change This change is already covered by existing tests in the `flink-table` module. ## Does this pull request potentially affect one of the following parts: - Dependencies (does it add or upgrade a dependency): yes - The public API, i.e., is any changed class annotated with `@Public(Evolving)`: no - The serializers: no - The runtime per-record code paths (performance sensitive): no - Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no - The S3 file system connector: no ## Documentation - Does this pull request introduce a new feature? no -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@flink.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
