Skip to content

chore(hive): Bump dependencies ahead of 25.7.0 #1100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

chore(hive): Bump dependencies ahead of 25.7.0 #1100

wants to merge 8 commits into from

Conversation

NickLarsenNZ
Copy link
Member

@NickLarsenNZ NickLarsenNZ commented May 6, 2025
edited
Loading

Part of #1087.

Definition of Done Checklist

Note

Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant.

Please make sure all these things are done and tick the boxes

  • Changes are OpenShift compatible
  • All added packages (via microdnf or otherwise) have a comment on why they are added
  • Things not downloaded from Red Hat repositories should be mirrored in the Stackable repository and downloaded from there
  • All packages should have (if available) signatures/hashes verified
  • Add an entry to the CHANGELOG.md file
  • Integration tests ran successfully
TIP: Running integration tests with a new product image

The image can be built and uploaded to the kind cluster with the following commands:

bake --product <product> --image-version <stackable-image-version>
kind load docker-image <image-tagged-with-the-major-version> --name=<name-of-your-test-cluster>

See the output of bake to retrieve the image tag for <image-tagged-with-the-major-version>.

@NickLarsenNZ NickLarsenNZ self-assigned this May 6, 2025
@NickLarsenNZ NickLarsenNZ force-pushed the chore/bump-hive-deps-pre-25.7.0 branch from de105f7 to ed51123 Compare May 6, 2025 10:03
@NickLarsenNZ NickLarsenNZ moved this to Development: Waiting for Review in Stackable Engineering May 6, 2025
@NickLarsenNZ NickLarsenNZ enabled auto-merge May 6, 2025 10:03
@NickLarsenNZ NickLarsenNZ mentioned this pull request May 6, 2025
Open
17 tasks
@NickLarsenNZ

This comment was marked as outdated.

Sign in to view
@NickLarsenNZ NickLarsenNZ disabled auto-merge May 6, 2025 11:11
@NickLarsenNZ NickLarsenNZ requested review from lfrancke and removed request for lfrancke May 6, 2025 11:16
@NickLarsenNZ NickLarsenNZ assigned lfrancke and unassigned NickLarsenNZ May 6, 2025
@NickLarsenNZ NickLarsenNZ moved this from Development: Waiting for Review to Development: In Progress in Stackable Engineering May 6, 2025
@NickLarsenNZ NickLarsenNZ moved this from Development: In Progress to Ready for Development in Stackable Engineering May 6, 2025
@lfrancke lfrancke assigned NickLarsenNZ and unassigned lfrancke May 21, 2025
@lfrancke lfrancke moved this from Ready for Development to Development: In Progress in Stackable Engineering May 21, 2025
@NickLarsenNZ
chore(hive): Patch postgres to resolve CVE-2024-1597
53be67e
@NickLarsenNZ
chore(nix): Bump image-utils for newer bake
83afb60 
Note: Should have been done as part of #1118
@NickLarsenNZ
Merge remote-tracking branch 'origin/main' into chore/bump-hive-deps-…
04c119e 
…pre-25.7.0
@NickLarsenNZ
chore(nix): Bump nixpkgs and install nodejs_20 to keep pre-commit happy
80c1c22 
I was getting the following error:

```
An unexpected error has occurred: CalledProcessError: command: ('/nix/store/15jzs4a11nqp4m1xvnw0rz9395anzjsm-nodejs-18.20.8/bin/node', '/run/current-system/sw/bin/npm', 'install', '--include=dev', '--include=prod', '--ignore-prepublish', '--no-progress', '--no-save')
return code: 1
stdout: (none)
stderr:
    npm error code EBADENGINE
    npm error engine Unsupported engine
    npm error engine Not compatible with your version of node/npm: markdownlint-cli@0.45.0
    npm error notsup Not compatible with your version of node/npm: markdownlint-cli@0.45.0
    npm error notsup Required: {"node":">=20"}
    npm error notsup Actual:   {"npm":"10.8.2","node":"v18.20.8"}
    npm error A complete log of this run can be found in: /home/nick/.npm/_logs/2025-05-28T10_40_07_463Z-debug-0.log
Check the log at /home/nick/.cache/pre-commit/pre-commit.log
```
@NickLarsenNZ
chore(hive): Revert hadoop and aws bumps, update changelog
89eb1ef
@NickLarsenNZ NickLarsenNZ moved this from Development: In Progress to Development: Waiting for Review in Stackable Engineering May 28, 2025
@NickLarsenNZ
Copy link
Member Author

Notes on patching:

  • 🟢 postgres can be bumped for both 4.0.0 and 4.0.1 (not needed in 3.1.3)
  • 🔴 derby can't be bumped because the CVE isn't fixed until a version that required Java 21 (which Hive does not yet support).
  • 🔴 zookeeper is complicated. We apparently have 3.6.3, but the patch-bumps.txt 3.8.3 -> 3.8.4, so not even a patch bump. It is further complicated by a shaded dependency via hadoop.
  • 🔴 jackson-mapper-asl comes in via hadoop, so can't be resolved until hadoop is bumped.
  • 🔴 avro. We do have a direct dep, and could bump the patch, but is also comes in via hadoop, so does it solve much?
  • ⚪ no patches for 3.1.3 for the same reasons as above plus a bunch of hadoop deps that we are probably stuck with.

In summary, only the critical postgres CVE gets resolved for Hive. I will not work on other severities for now, just so I can close this off.

@NickLarsenNZ NickLarsenNZ requested a review from lfrancke May 28, 2025 10:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lfrancke lfrancke Awaiting requested review from lfrancke

At least 1 approving review is required to merge this pull request.

Assignees

@NickLarsenNZ NickLarsenNZ

Labels
None yet
Projects
Stackable Engineering
Status: Development: Waiting for Review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@NickLarsenNZ @lfrancke