You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@beam.apache.org by "Arkadiusz Gasinski (Jira)" <ji...@apache.org> on 2022/03/16 22:06:00 UTC
[jira] [Created] (BEAM-14118) beam-vendor-grpc-1_43_2 shades vulnerable Netty dependency
Arkadiusz Gasinski created BEAM-14118:
-----------------------------------------
Summary: beam-vendor-grpc-1_43_2 shades vulnerable Netty dependency
Key: BEAM-14118
URL: https://issues.apache.org/jira/browse/BEAM-14118
Project: Beam
Issue Type: Improvement
Components: runner-flink
Affects Versions: 2.37.0
Reporter: Arkadiusz Gasinski
The [beam-vendor-grpc-1_43_2|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_43_2] dependency (that is pulled transitively by the beam-runners-flink-1.13) shades a vulnerable Netty version, i.e. 4.1.63.Final: [https://mvnrepository.com/artifact/io.netty/netty-all/4.1.63.Final]
In turn, our Beam pipelines builds are marked as vulnerable and we're having issues promoting them to higher environments.
Because Netty is shaded, we can't simply override the version in the build tool.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)