You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@beam.apache.org by "Beam JIRA Bot (Jira)" <ji...@apache.org> on 2022/05/30 17:28:00 UTC
[jira] [Commented] (BEAM-14118) beam-vendor-grpc-1_43_2 shades vulnerable Netty version
[ https://issues.apache.org/jira/browse/BEAM-14118?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17544017#comment-17544017 ]
Beam JIRA Bot commented on BEAM-14118:
--------------------------------------
This issue is P2 but has been unassigned without any comment for 60 days so it has been labeled "stale-P2". If this issue is still affecting you, we care! Please comment and remove the label. Otherwise, in 14 days the issue will be moved to P3.
Please see https://beam.apache.org/contribute/jira-priorities/ for a detailed explanation of what these priorities mean.
> beam-vendor-grpc-1_43_2 shades vulnerable Netty version
> -------------------------------------------------------
>
> Key: BEAM-14118
> URL: https://issues.apache.org/jira/browse/BEAM-14118
> Project: Beam
> Issue Type: Improvement
> Components: runner-flink, runner-spark, sdk-java-harness
> Affects Versions: 2.37.0
> Reporter: Arkadiusz Gasinski
> Priority: P2
> Labels: stale-P2
> Time Spent: 1h 50m
> Remaining Estimate: 0h
>
> The [beam-vendor-grpc-1_43_2|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_43_2] dependency (that is pulled transitively by the beam-runners-flink-1.13) shades a vulnerable Netty version, i.e. 4.1.63.Final: [https://mvnrepository.com/artifact/io.netty/netty-all/4.1.63.Final]
> In turn, our Beam pipelines builds are marked as vulnerable and we're having issues promoting them to higher environments.
> Because Netty is shaded, we can't simply override the version in the build tool.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)