[fix][sec] Upgrade commons-compress to 1.26.0 (apache#22086)

(cherry picked from commit 613a771)
nodece · Feb 23, 2024 · c43645f · c43645f
1 parent 585736a
commit c43645f
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 3 deletions.
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -349,7 +349,7 @@ The Apache Software License, Version 2.0
     - commons-lang-commons-lang-2.6.jar
     - commons-logging-commons-logging-1.1.1.jar
     - org.apache.commons-commons-collections4-4.1.jar
-    - org.apache.commons-commons-compress-1.21.jar
+    - org.apache.commons-commons-compress-1.26.0.jar
     - org.apache.commons-commons-lang3-3.11.jar
  * Netty
     - io.netty-netty-buffer-4.1.100.Final.jar

diff --git a/pom.xml b/pom.xml
@@ -102,7 +102,7 @@ flexible messaging model and an intuitive client API.</description>
     <narPluginPhase>package</narPluginPhase>
 
     <!-- apache commons -->
-    <commons-compress.version>1.21</commons-compress.version>
+    <commons-compress.version>1.26.0</commons-compress.version>
 
     <bookkeeper.version>4.14.8</bookkeeper.version>
     <zookeeper.version>3.9.1</zookeeper.version>

diff --git a/.../runtime-all/src/test/java/org/apache/pulsar/functions/instance/JavaInstanceDepsTest.java b/.../runtime-all/src/test/java/org/apache/pulsar/functions/instance/JavaInstanceDepsTest.java
@@ -47,6 +47,8 @@
  *     8. Apache AVRO
  *     9. Jackson Mapper and Databind (dependency of AVRO)
  *     10. Apache Commons Compress (dependency of AVRO)
+ *     11. Apache Commons Lang (dependency of Apache Commons Compress)
+ *     12. Apache Commons IO (dependency of Apache Commons Compress)
  */
 public class JavaInstanceDepsTest {
 
@@ -72,6 +74,8 @@ public void testInstanceJarDeps() throws IOException {
                         && !name.startsWith("org/apache/avro")
                         && !name.startsWith("com/fasterxml/jackson")
                         && !name.startsWith("org/apache/commons/compress")
+                        && !name.startsWith("org/apache/commons/lang3")
+                        && !name.startsWith("org/apache/commons/io")
                         && !name.startsWith("com/google")
                         && !name.startsWith("org/checkerframework")
                         && !name.startsWith("javax/annotation")

diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE
@@ -228,7 +228,7 @@ The Apache Software License, Version 2.0
     - guice-5.1.0.jar
  * Apache Commons
     - commons-math3-3.6.1.jar
-    - commons-compress-1.21.jar
+    - commons-compress-1.26.0.jar
     - commons-lang3-3.11.jar
  * Netty
      - netty-3.10.6.Final.jar