I did some further investigation on this topic.
My goal is to decouple Pulsar's protobuf and grpc versions from Bookkeeper
protobuf and grpc versions.
Pulsar uses these dependencies from Bookkeeper:
With org.apache.bookkeeper:
bookkeeper-common-allocator
bookkeeper-common
bookkeeper-serve
Looks like shading the dependency is a good idea. It can break the
dependency cycle.
+1 to shade the dependency
Best regards,
Yong
On Fri, 15 Dec 2023 at 02:58, Lari Hotari wrote:
> I would like to make a minor correction to my previous email:
>
> The pull request https://github.com/apache/boo
I would like to make a minor correction to my previous email:
The pull request https://github.com/apache/bookkeeper/pull/3992 has been merged
into the master branch and not rolled back. Consequently, CVE-2023-32732 has
been resolved in the master branch with gRPC 1.56.0. However, this change was
Dear all,
I'm reaching out to discuss an ongoing issue in Pulsar related to
CVE-2023-32732, which necessitates upgrading gRPC in Pulsar. Although this CVE
isn't critical, it's flagged by CVE scanners, and addressing it requires
careful coordination of upgrades for gRPC and Protobuf libraries in
