You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@beam.apache.org by "Arkadiusz Gasinski (Jira)" <ji...@apache.org> on 2022/03/16 22:06:00 UTC

[jira] [Updated] (BEAM-14118) beam-vendor-grpc-1_43_2 shades vulnerable Netty version

     [ https://issues.apache.org/jira/browse/BEAM-14118?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Arkadiusz Gasinski updated BEAM-14118:
--------------------------------------
    Summary: beam-vendor-grpc-1_43_2 shades vulnerable Netty version  (was: beam-vendor-grpc-1_43_2 shades vulnerable Netty dependency)

> beam-vendor-grpc-1_43_2 shades vulnerable Netty version
> -------------------------------------------------------
>
>                 Key: BEAM-14118
>                 URL: https://issues.apache.org/jira/browse/BEAM-14118
>             Project: Beam
>          Issue Type: Improvement
>          Components: runner-flink
>    Affects Versions: 2.37.0
>            Reporter: Arkadiusz Gasinski
>            Priority: P1
>
> The [beam-vendor-grpc-1_43_2|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_43_2] dependency (that is pulled transitively by the beam-runners-flink-1.13) shades a vulnerable Netty version, i.e. 4.1.63.Final: [https://mvnrepository.com/artifact/io.netty/netty-all/4.1.63.Final]
> In turn, our Beam pipelines builds are marked as vulnerable and we're having issues promoting them to higher environments. 
> Because Netty is shaded, we can't simply override the version in the build tool.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)