GH-44770: [Java] Update minor protobuf version to avoid CVE-2024-7254 #44775
Conversation
|
|
|
@github-actions crossbow submit -g java |
|
Revision: ad603bc Submitted crossbow builds: ursacomputing/crossbow @ actions-a223b3698c
|
|
Not related with this PR but I saw we seem to be using a pretty old bundled version on C++, see: arrow/cpp/thirdparty/versions.txt Lines 95 to 96 in 00de992 What is our policy for updating those dependencies? Do we have any? Should we update it? cc @kou |
|
We can update the bundled version. |
github-actions
bot
added
awaiting merge
|
We don't have our update policy. But we should keep updating dependencies as much as possible for performance and security. |
|
After merging your PR, Conbench analyzed the 3 benchmarking runs that have been run so far on merge-commit ea8b1d3. There were no benchmark performance regressions. 🎉 The full Conbench report has more details. It also includes information about 23 possible false positives for unstable benchmarks that are known to sometimes produce them. |
…4-7254 (apache#44775) ### Rationale for this change There seems to be a CVE affecting our current dependency: GHSA-735f-pc8j-v9w8 ### What changes are included in this PR? Update to latest minor which solves the issue. ### Are these changes tested? Via CI ### Are there any user-facing changes? No * GitHub Issue: apache#44770 Authored-by: Raúl Cumplido <raulcumplido@gmail.com> Signed-off-by: David Li <li.davidm96@gmail.com>
3 participants
Rationale for this change
There seems to be a CVE affecting our current dependency:
GHSA-735f-pc8j-v9w8
What changes are included in this PR?
Update to latest minor which solves the issue.
Are these changes tested?
Via CI
Are there any user-facing changes?
No