You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@beam.apache.org by "Arkadiusz Gasinski (Jira)" <ji...@apache.org> on 2022/03/16 22:06:00 UTC
[jira] [Updated] (BEAM-14118) beam-vendor-grpc-1_43_2 shades vulnerable Netty version
[ https://issues.apache.org/jira/browse/BEAM-14118?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Arkadiusz Gasinski updated BEAM-14118:
--------------------------------------
Summary: beam-vendor-grpc-1_43_2 shades vulnerable Netty version (was: beam-vendor-grpc-1_43_2 shades vulnerable Netty dependency)
> beam-vendor-grpc-1_43_2 shades vulnerable Netty version
> -------------------------------------------------------
>
> Key: BEAM-14118
> URL: https://issues.apache.org/jira/browse/BEAM-14118
> Project: Beam
> Issue Type: Improvement
> Components: runner-flink
> Affects Versions: 2.37.0
> Reporter: Arkadiusz Gasinski
> Priority: P1
>
> The [beam-vendor-grpc-1_43_2|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_43_2] dependency (that is pulled transitively by the beam-runners-flink-1.13) shades a vulnerable Netty version, i.e. 4.1.63.Final: [https://mvnrepository.com/artifact/io.netty/netty-all/4.1.63.Final]
> In turn, our Beam pipelines builds are marked as vulnerable and we're having issues promoting them to higher environments.
> Because Netty is shaded, we can't simply override the version in the build tool.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)