Yicong-Huang opened a new pull request, #6202: URL: https://github.com/apache/texera/pull/6202
### What changes were proposed in this PR? Backport of #6199 to `release/v1.2` (the automated backport hit a `build.sbt` context conflict, so this is a manual port of the same change): - exclude `log4j:log4j` 1.2.17 build-wide (`ThisBuild / excludeDependencies`, root `build.sbt`) — it arrives transitively via Hadoop/ZooKeeper and log4j 1.x is EOL with open CVEs; - add the `log4j-1.2-api` / `log4j-to-slf4j` 2.26.1 bridges in `common/workflow-core`, keeping the `org.apache.log4j` API routed through the log4j 2 API into slf4j/logback; - update `LICENSE-binary` and regenerate `NOTICE-binary` for the four dists that bundled log4j 1.2.17 (amber, computing-unit-managing-service, file-service, workflow-compiling-service). `log4j-to-slf4j` bumps `slf4j-api` 2.0.16 → 2.0.17 in the three platform services (amber stays pinned at 1.7.26). ### Any related issues, documentation, discussions? Backport of #6199. Resolves the six open `log4j:log4j` Dependabot alerts for the v1.2 line: CVE-2019-17571, CVE-2022-23307, CVE-2022-23305 (critical); CVE-2023-26464, CVE-2022-23302, CVE-2021-4104 (high). ### How was this PR tested? Dependency-only change; existing CI compile/test stacks cover it. Verified locally on this branch: - built the four dists and confirmed `log4j-1.2.17.jar` is gone and only the three 2.26.1 jars remain; - `./bin/licensing/check_binary_deps.py --ignore-transitive-version jar --license-binary <svc>/LICENSE-binary <dist>/lib` passes for all four dists; - `NOTICE-binary` files regenerated with `./bin/licensing/generate_notice_binary.py` from the rebuilt dists. ### Was this PR authored or co-authored using generative AI tooling? Generated-by: Claude Code (Claude Fable 5) 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
