HIVE-29439: Upgrade slf4j-api to 2.0.13#6295
Draft
humashankar26 wants to merge 2 commits intoapache:masterfrom
Draft
HIVE-29439: Upgrade slf4j-api to 2.0.13#6295humashankar26 wants to merge 2 commits intoapache:masterfrom
humashankar26 wants to merge 2 commits intoapache:masterfrom
Conversation
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
This PR upgrades the slf4j-api dependency from 1.7.30 to 2.0.13.
Because Hive is a large multi-module project, I’ve applied the update in the following key areas to ensure the new version is forced everywhere:
The root pom.xml (global version management).
standalone-metastore/pom.xml (to ensure the metastore doesn't pull in older versions independently).
storage-api/pom.xml (to align the storage layer with the new API).
I also verified that transitive dependencies (like those coming from Hadoop or ORC) are being correctly "managed" (overridden) by this new version.
Why are the changes needed?
The primary goal is to address CVE-2022-2047 and other related security vulnerabilities found in older versions of the SLF4J library.
Beyond security, version 2.0.13 fixes a long-standing bug (SLF4J Issue 409) where logs would sometimes report incorrect line numbers or class names. Upgrading also moves Hive toward the modern Java ServiceLoader mechanism for logging, which is more stable than the old static binder approach used in the 1.7.x line.
Does this PR introduce any user-facing change?
No. This is a backend dependency update. Users shouldn't notice any change in behavior, though developers may notice more accurate source-location reporting in the logs during debugging.
How was this patch tested?
Since this is a dependency change, I focused on build integrity and dependency convergence:
Dependency Tree Audit: Ran mvn dependency:tree -Dincludes='org.slf4j:*' across the entire project. Verified that all modules (including the tricky ones like hive-exec and metastore-server) are now resolving to version 2.0.13.
Local Build: Successfully ran a clean build (mvn clean install -DskipTests) to ensure no compilation errors were introduced by the 2.x API changes.
Security Scan: Verified the fix using the OWASP Dependency-Check tool. The report confirmed that slf4j-api is no longer flagged for known vulnerabilities.