[GitHub] [beam] damccorm opened a new issue, #21639: beam-vendor-grpc-1_43_2 shades vulnerable Netty version

[GitBox <gi...@apache.org>]

damccorm opened a new issue, #21639:
URL: https://github.com/apache/beam/issues/21639

   The [beam-vendor-grpc-1_43_2](https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_43_2) dependency (that is pulled transitively by the beam-runners-flink-1.13) shades a vulnerable Netty version, i.e. 4.1.63.Final: [https://mvnrepository.com/artifact/io.netty/netty-all/4.1.63.Final](https://mvnrepository.com/artifact/io.netty/netty-all/4.1.63.Final)
   
   In turn, our Beam pipelines builds are marked as vulnerable and we're having issues promoting them to higher environments. 
   
   Because Netty is shaded, we can't simply override the version in the build tool.
   
   Imported from Jira [BEAM-14118](https://issues.apache.org/jira/browse/BEAM-14118). Original Jira may contain additional context.
   Reported by: jigga.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] Abacn closed issue #21639: beam-vendor-grpc-1_43_2 shades vulnerable Netty version

["Abacn (via GitHub)" <gi...@apache.org>]

Abacn closed issue #21639: beam-vendor-grpc-1_43_2 shades vulnerable Netty version
URL: https://github.com/apache/beam/issues/21639


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org