everin opened a new issue, #49741: URL: https://github.com/apache/arrow/issues/49741
### Describe the enhancement requested Hello Apache Arrow team, first of all, thank you for your work on Arrow and the Flight SQL JDBC driver. We are currently using the Flight SQL JDBC driver version 19.0.0 and, during a routine security scan of our artifacts (Docker image), we identified several vulnerabilities affecting dependencies that appear to be **shaded within the driver JAR**. Specifically, the following issues were reported: * **High** – CVE-2024-57699 – net.minidev:json-smart * **High** – CVE-2026-33871 – io.netty:netty-codec-http2 * **Medium** – GHSA-72hv-8253-57qq – com.fasterxml.jackson.core:jackson-core * **Medium** – CVE-2025-53864 – com.nimbusds:nimbus-jose-jwt Since these libraries are shaded, it is not possible for us to mitigate the vulnerabilities via standard dependency management (e.g., Maven/Gradle overrides). We have already reached out to the Apache security channel to report and discuss this situation, but we would also like to ask here: * Are there plans to update these shaded dependencies in an upcoming release? * In particular, for the Netty HTTP/2 component, can you confirm whether it is actively used by the Flight SQL JDBC driver or if it could be considered non-critical in typical usage? Thank you in advance for your support and for maintaining the project. Kind regards Everin Orlandi ### Component(s) Java -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
