Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FLINK-33408] Bump the snakeyaml from 1.33 to 2.0 to fix the container vulnerability. #23631

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

[FLINK-33408] Bump the snakeyaml from 1.33 to 2.0 to fix the container vulnerability. #23631

wants to merge 3 commits into from

Conversation

ShijieChow
Copy link

What is the purpose of the change

This pull request fix the container vulnerability in CVE-2022-1471 by upgrade the SnakeYaml Maven dependency in flink-kubernetes module.

Brief change log

Upgrade the Kubernetes Client from 6.6.2 to 6.7.0, thereby upgrading the version of snakeyaml, which the Kubernetes Client indirectly depends on, from 1.33 to 2.0.

Verifying this change

This change is already covered by existing flink-kubernetes tests.

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): yes
  • The public API, i.e., is any changed class annotated with @Public(Evolving): no
  • The serializers: no
  • The runtime per-record code paths (performance sensitive): no
  • Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
  • The S3 file system connector: no

Documentation

  • Does this pull request introduce a new feature? no
  • If yes, how is the feature documented? not applicable

@flinkbot
Copy link
Collaborator

flinkbot commented Oct 31, 2023
edited
Loading

CI report:

Bot commands The @flinkbot bot supports the following commands:
  • @flinkbot run azure re-run the last Azure build

@MartijnVisser
Copy link
Contributor

could you please review this PR for me.

Please don't ping random people

@ShijieChow
Copy link
Author

ShijieChow commented Nov 2, 2023
edited
Loading

could you please review this PR for me.

Please don't ping random people

I thought these people might be related to my ISSUE, so I mentioned them in the PR, sorry about that. Thanks for your kind reminder. I'll avoid it in the future.

@ShijieChow ShijieChow changed the title [FLINK-33408] Fixing the container vulnerability by upgrade the SnakeYaml Maven dependency in flink-kubernetes module. [FLINK-33408] Bump the snakeyaml from 1.33 to 1.20 to fix the container vulnerability.. Nov 2, 2023
@ShijieChow ShijieChow changed the title [FLINK-33408] Bump the snakeyaml from 1.33 to 1.20 to fix the container vulnerability.. [FLINK-33408] Bump the snakeyaml from 1.33 to 1.20 to fix the container vulnerability. Nov 2, 2023
@ShijieChow ShijieChow changed the title [FLINK-33408] Bump the snakeyaml from 1.33 to 1.20 to fix the container vulnerability. [FLINK-33408] Bump the snakeyaml from 1.33 to 2.0 to fix the container vulnerability. Nov 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
component=Deployment/Kubernetes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ShijieChow @flinkbot @MartijnVisser