lhotari opened a new pull request, #20: URL: https://github.com/apache/pulsar-connectors/pull/20
## Summary Pull library version updates from [apache/pulsar's `gradle/libs.versions.toml`](https://github.com/apache/pulsar/blob/master/gradle/libs.versions.toml) into this repo's catalog so connectors build against the same baseline as the broker: - `jetty` 12.1.5 → 12.1.8 - `jackson` 2.18.6 → 2.21.2 - `log4j2` 2.25.3 → 2.25.4 - `asynchttpclient` 2.12.4 → 2.14.5 - `bouncycastle` (`bcprov`/`bcpkix`/`bcutil`) → 1.84 — addresses CVE-2026-5588 and CVE-2026-0636 - `bcpkix-fips` 2.0.10 → 2.0.11 - `bcutil-fips` 2.0.5 → 2.0.6 Drops `bcprov-ext-jdk18on`: the BC team retired the `-ext` variant (last release 1.78.1), and pinning it alongside `bcprov` 1.84 would shadow the CVE-2026-0636 fix. No consumers in this repo. Matches apache/pulsar#25569. Connector-specific entries (kafka, debezium, opensearch, hbase, aws-sdk2, etc.) and `jetty9` are intentionally left untouched since they don't exist or are pinned independently in upstream Pulsar. ## Test plan - [ ] CI passes - [ ] Local Gradle build resolves new versions cleanly -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
