Skip to content

Commit 9fb9cff

Browse files
pan3793yaooqinn
pan3793
authored and
yaooqinn
committed
[SPARK-49120][BUILD] Bump Gson 2.11.0
### What changes were proposed in this pull request? Currently, Spark pulls Gson 2.2.4 from `hive-exec`, which is pretty old and [vulnerable](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647), this PR proposes to upgrade it to the latest version 2.11.0. <img width="697" alt="image" src="https://github.com/user-attachments/assets/f101ab3f-875c-4cc3-9692-48394c9ada3e"> ### Why are the changes needed? For security. ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? GHA. ### Was this patch authored or co-authored using generative AI tooling? No. Closes #47627 from pan3793/SPARK-49120. Authored-by: Cheng Pan <[email protected]> Signed-off-by: Kent Yao <[email protected]>
1 parent 0346b18 commit 9fb9cff

File tree

2 files changed

+14
-1
lines changed

2 files changed

+14
-1
lines changed

dev/deps/spark-deps-hadoop-3-hive-2.3

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@ esdk-obs-java/3.20.4.2//esdk-obs-java-3.20.4.2.jar
6666
flatbuffers-java/24.3.25//flatbuffers-java-24.3.25.jar
6767
gcs-connector/hadoop3-2.2.21/shaded/gcs-connector-hadoop3-2.2.21-shaded.jar
6868
gmetric4j/1.0.10//gmetric4j-1.0.10.jar
69-
gson/2.2.4//gson-2.2.4.jar
69+
gson/2.11.0//gson-2.11.0.jar
7070
guava/14.0.1//guava-14.0.1.jar
7171
hadoop-aliyun/3.4.0//hadoop-aliyun-3.4.0.jar
7272
hadoop-annotations/3.4.0//hadoop-annotations-3.4.0.jar

pom.xml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -197,6 +197,7 @@
197197
<commons-pool2.version>2.12.0</commons-pool2.version>
198198
<datanucleus-core.version>4.1.17</datanucleus-core.version>
199199
<guava.version>14.0.1</guava.version>
200+
<gson.version>2.11.0</gson.version>
200201
<janino.version>3.1.9</janino.version>
201202
<jersey.version>3.0.12</jersey.version>
202203
<joda.version>2.12.7</joda.version>
@@ -572,6 +573,18 @@
572573

573574
<!-- End of shaded deps -->
574575

576+
<dependency>
577+
<groupId>com.google.code.gson</groupId>
578+
<artifactId>gson</artifactId>
579+
<version>${gson.version}</version>
580+
<exclusions>
581+
<exclusion>
582+
<groupId>com.google.errorprone</groupId>
583+
<artifactId>error_prone_annotations</artifactId>
584+
</exclusion>
585+
</exclusions>
586+
</dependency>
587+
575588
<!-- Provide a JAXB impl; no longer auto available in Java 9+ in the JDK -->
576589
<dependency>
577590
<groupId>org.glassfish.jaxb</groupId>

0 commit comments

Comments
 (0)