[Infra] [Security] Update Scala and packages dependencies #2828
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@allisonport-db @scottsand-db, could you please take a look? This kind of PR gets old and conflicting pretty quick |
Merged
5 tasks
scottsand-db
approved these changes
Apr 10, 2024
|
LGTM! Thanks! |
|
@allisonport-db could you help with the merge? Thanks! |
|
@scottsand-db @allisonport-db could we merge this before 3.2? |
Signed-off-by: Felipe Pessoto <fepessot@microsoft.com>
Signed-off-by: Felipe Pessoto <fepessot@microsoft.com>
Signed-off-by: Felipe Pessoto <fepessot@microsoft.com>
Signed-off-by: Felipe Pessoto <fepessot@microsoft.com>
felipepessoto
force-pushed
the
update-dependencies-version
branch
from
1f56ff4 to
001a310
Compare
Signed-off-by: Felipe Pessoto <fepessot@microsoft.com>
|
@scottsand-db @allisonport-db I rebased and updated the PR to include a new file spark_master_test.yaml. |
|
Will merge after it passes tests (except for the 1 failing test in Spark Master) |
scottsand-db
pushed a commit
to scottsand-db/delta
that referenced
this pull request
May 1, 2024
) #### Which Delta project/connector is this regarding? - [X] Spark - [X] Standalone - [X] Flink - [X] Kernel - [ ] Other (fill in here) ## Description We haven't updated some dependencies for a while, exposing us to security risks. This PR updates: - Scala 2.12 to 2.12.18 (the same used by Spark 3.5 branch) - Scala 2.13 to 2.13.13 (the same in Spark master branch). [CVE-2022-36944](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36944) - Update SBT to 1.9.9. [CVE-2023-46122](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46122) - Update JUnit. Fix delta-io#1518 - [CVE-2020-15250](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250) - Update plugins: sbt-mima-plugin and sbt-scoverage ## How was this patch tested? CI ## Does this PR introduce _any_ user-facing changes? No --------- Signed-off-by: Felipe Pessoto <fepessot@microsoft.com>
scottsand-db
pushed a commit
to scottsand-db/delta
that referenced
this pull request
May 1, 2024
) - [X] Spark - [X] Standalone - [X] Flink - [X] Kernel - [ ] Other (fill in here) We haven't updated some dependencies for a while, exposing us to security risks. This PR updates: - Scala 2.12 to 2.12.18 (the same used by Spark 3.5 branch) - Scala 2.13 to 2.13.13 (the same in Spark master branch). [CVE-2022-36944](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36944) - Update SBT to 1.9.9. [CVE-2023-46122](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46122) - Update JUnit. Fix delta-io#1518 - [CVE-2020-15250](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250) - Update plugins: sbt-mima-plugin and sbt-scoverage CI No --------- Signed-off-by: Felipe Pessoto <fepessot@microsoft.com>
5 tasks
allisonport-db
added a commit
that referenced
this pull request
May 3, 2024
<!-- Thanks for sending a pull request! Here are some tips for you: 1. If this is your first time, please read our contributor guidelines: https://github.com/delta-io/delta/blob/master/CONTRIBUTING.md 2. If the PR is unfinished, add '[WIP]' in your PR title, e.g., '[WIP] Your PR title ...'. 3. Be sure to keep the PR description updated to reflect all changes. 4. Please write your PR title to summarize what this PR proposes. 5. If possible, provide a concise example to reproduce the issue for a faster review. 6. If applicable, include the corresponding issue number in the PR title and link it in the body. --> #### Which Delta project/connector is this regarding? <!-- Please add the component selected below to the beginning of the pull request title For example: [Spark] Title of my pull request --> - [ ] Spark - [ ] Standalone - [ ] Flink - [ ] Kernel - [X] Other (fill in here) ## Description #2828 upgrades the SBT version from 1.5.5 to 1.9.9 which causes `projectName/checkstyle` to fail with ``` sbt:delta> kernelApi/checkstyle [error] stack trace is suppressed; run last kernelApi / checkstyle for the full output [error] (kernelApi / checkstyle) org.xml.sax.SAXParseException; lineNumber: 18; columnNumber: 10; DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true. [error] Total time: 0 s, completed May 1, 2024 2:59:48 PM ``` This failure was silent in our CI runs for some reason, if you search the logs before that commit you can see "checkstyle" in them but no instances after. This is a little concerning but don't really have time to figure out why this was silent. For now, upgrades versions to match Spark's current plugins which fixes the issue. See the matching Spark PR here apache/spark#38481. ## How was this patch tested? Ran `kernelApi/checkstyle` locally. TODO: verify it's present in the CI runs after as well ## Does this PR introduce _any_ user-facing changes? No.
allisonport-db
added a commit
to allisonport-db/delta
that referenced
this pull request
May 4, 2024
…#3019) <!-- Thanks for sending a pull request! Here are some tips for you: 1. If this is your first time, please read our contributor guidelines: https://github.com/delta-io/delta/blob/master/CONTRIBUTING.md 2. If the PR is unfinished, add '[WIP]' in your PR title, e.g., '[WIP] Your PR title ...'. 3. Be sure to keep the PR description updated to reflect all changes. 4. Please write your PR title to summarize what this PR proposes. 5. If possible, provide a concise example to reproduce the issue for a faster review. 6. If applicable, include the corresponding issue number in the PR title and link it in the body. --> #### Which Delta project/connector is this regarding? <!-- Please add the component selected below to the beginning of the pull request title For example: [Spark] Title of my pull request --> - [ ] Spark - [ ] Standalone - [ ] Flink - [ ] Kernel - [X] Other (fill in here) ## Description delta-io#2828 upgrades the SBT version from 1.5.5 to 1.9.9 which causes `projectName/checkstyle` to fail with ``` sbt:delta> kernelApi/checkstyle [error] stack trace is suppressed; run last kernelApi / checkstyle for the full output [error] (kernelApi / checkstyle) org.xml.sax.SAXParseException; lineNumber: 18; columnNumber: 10; DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true. [error] Total time: 0 s, completed May 1, 2024 2:59:48 PM ``` This failure was silent in our CI runs for some reason, if you search the logs before that commit you can see "checkstyle" in them but no instances after. This is a little concerning but don't really have time to figure out why this was silent. For now, upgrades versions to match Spark's current plugins which fixes the issue. See the matching Spark PR here apache/spark#38481. ## How was this patch tested? Ran `kernelApi/checkstyle` locally. TODO: verify it's present in the CI runs after as well ## Does this PR introduce _any_ user-facing changes? No. (cherry picked from commit 12cabb7)
5 tasks
allisonport-db
pushed a commit
that referenced
this pull request
Aug 16, 2024
…#3139) #### Which Delta project/connector is this regarding? - [ ] Spark - [ ] Standalone - [ ] Flink - [X] Kernel - [X] Other (connector, examples, benchmark) ## Description #2828 updated SBT version to Spark Delta. This is a follow up to update other projects. - Update SBT to 1.9.9. [CVE-2023-46122](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46122) ## How was this patch tested? CI ## Does this PR introduce _any_ user-facing changes? No --------- Signed-off-by: Felipe Pessoto <fepessot@microsoft.com>
rajeshparangi
pushed a commit
to rajeshparangi/delta
that referenced
this pull request
Aug 16, 2024
…delta-io#3139) #### Which Delta project/connector is this regarding? - [ ] Spark - [ ] Standalone - [ ] Flink - [X] Kernel - [X] Other (connector, examples, benchmark) ## Description delta-io#2828 updated SBT version to Spark Delta. This is a follow up to update other projects. - Update SBT to 1.9.9. [CVE-2023-46122](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46122) ## How was this patch tested? CI ## Does this PR introduce _any_ user-facing changes? No --------- Signed-off-by: Felipe Pessoto <fepessot@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Which Delta project/connector is this regarding?
Description
We haven't updated some dependencies for a while, exposing us to security risks.
This PR updates:
How was this patch tested?
CI
Does this PR introduce any user-facing changes?
No