Yicong-Huang opened a new pull request, #6202:
URL: https://github.com/apache/texera/pull/6202

   ### What changes were proposed in this PR?
   
   Backport of #6199 to `release/v1.2` (the automated backport hit a 
`build.sbt` context conflict, so this is a manual port of the same change):
   
   - exclude `log4j:log4j` 1.2.17 build-wide (`ThisBuild / 
excludeDependencies`, root `build.sbt`) — it arrives transitively via 
Hadoop/ZooKeeper and log4j 1.x is EOL with open CVEs;
   - add the `log4j-1.2-api` / `log4j-to-slf4j` 2.26.1 bridges in 
`common/workflow-core`, keeping the `org.apache.log4j` API routed through the 
log4j 2 API into slf4j/logback;
   - update `LICENSE-binary` and regenerate `NOTICE-binary` for the four dists 
that bundled log4j 1.2.17 (amber, computing-unit-managing-service, 
file-service, workflow-compiling-service). `log4j-to-slf4j` bumps `slf4j-api` 
2.0.16 → 2.0.17 in the three platform services (amber stays pinned at 1.7.26).
   
   ### Any related issues, documentation, discussions?
   
   Backport of #6199. Resolves the six open `log4j:log4j` Dependabot alerts for 
the v1.2 line: CVE-2019-17571, CVE-2022-23307, CVE-2022-23305 (critical); 
CVE-2023-26464, CVE-2022-23302, CVE-2021-4104 (high).
   
   ### How was this PR tested?
   
   Dependency-only change; existing CI compile/test stacks cover it. Verified 
locally on this branch:
   
   - built the four dists and confirmed `log4j-1.2.17.jar` is gone and only the 
three 2.26.1 jars remain;
   - `./bin/licensing/check_binary_deps.py --ignore-transitive-version jar 
--license-binary <svc>/LICENSE-binary <dist>/lib` passes for all four dists;
   - `NOTICE-binary` files regenerated with 
`./bin/licensing/generate_notice_binary.py` from the rebuilt dists.
   
   ### Was this PR authored or co-authored using generative AI tooling?
   
   Generated-by: Claude Code (Claude Fable 5)
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to