slfan1989 commented on PR #14941: URL: https://github.com/apache/iceberg/pull/14941#issuecomment-3695255105
> I’m seeing org.lz4:lz4-java:1.8.0 still present on Spark 3.5/4.0 compileClasspath. Does this need to be fixed too? Thanks for the review! You're right — even as a transitive dependency, the vulnerable `org.lz4:lz4-java:1.8.0` should be fully excluded to avoid scanner alerts. I'll update the PR to add a global `exclude group: 'org.lz4', module: 'lz4-java'` in the root `subprojects` block (covering Spark, Flink, and Kafka Connect). This will completely remove the old version from all classpaths, while keeping the capability resolution rule as a safety net. Pushing the change shortly. Thanks again! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
