fix(build): force update dependency of k8s java-client to fix high CVEs #5402
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
In the dataflow component we use
io.kubernetes:client-java
for fetching k8s secrets needed for Kafka SaaS auth.The library has
org.apache.commons:commons-compress
as a dependency.org.apache.commons:commons-compress
update from1.24.0
to1.26.0
by defining an explicit gradle build dependency constraintSee https://docs.gradle.org/current/userguide/dependency_constraints.html for a description of how gradle may handle transitive dependency updates. This comes with its own disadvantages:
because we force the update ourselves, we have to test that our dependency indeed works with the updated package and delivers the same functionality we need
we need to remove the build constraint once the dependency updates its dependency, so that we don't "pin" that to an old version unnecessarily (this is why we have the following TODO)
TODO(future): remove gradle constraint when io.kubernetes:client-java gets updated to a version directly depending on
1.26.0
or higherFixes:
Special notes for your reviewer: