ODP-3237: [SPARK-45590][BUILD] Upgrade okio to 1.17.6 from 1.15.0

roczei · shubhluck · commit 80d78923e2bc · 2025-05-16T17:49:49.000-04:00
This PR aims to upgrade `okio` from 1.15.0 to 1.17.6. Okio 1.15.0 is vulnerable due to CVE-2023-3635, details: https://nvd.nist.gov/vuln/detail/CVE-2023-3635 Previous attempts to fix this security issue: Update okio to version 1.17.6 apache#5587: fabric8io/kubernetes-client#5587 Followup to Update okio to version 1.17.6 apache#5935: fabric8io/kubernetes-client#5935 Unfortunately it is still using 1.15.0: https://github.com/apache/spark/blob/v4.0.0-preview1/dev/deps/spark-deps-hadoop-3-hive-2.3#L227 https://github.com/apache/spark/blob/v3.5.2/dev/deps/spark-deps-hadoop-3-hive-2.3#L210 No. Pass the CIs. No. Closes apache#47758 from roczei/SPARK-45590. Authored-by: Gabor Roczei <roczei@cloudera.com> Signed-off-by: Kent Yao <yao@apache.org> (cherry picked from commit c8cf394) (cherry picked from commit 6616025)
diff --git a/pom.xml b/pom.xml
@@ -240,6 +240,7 @@
     <!-- org.fusesource.leveldbjni will be used except on arm64 platform. -->
     <leveldbjni.group>org.fusesource.leveldbjni</leveldbjni.group>
     <kubernetes-client.version>6.13.2</kubernetes-client.version>
+    <okio.version>1.17.6</okio.version>
 
     <test.java.home>${java.home}</test.java.home>
 
@@ -2800,6 +2801,11 @@
         <artifactId>arpack</artifactId>
         <version>${netlib.ludovic.dev.version}</version>
       </dependency>
+      <dependency>
+        <groupId>com.squareup.okio</groupId>
+        <artifactId>okio</artifactId>
+        <version>${okio.version}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
