Skip to content

Migrate lz4-java from org.lz4 1.8.0 to at.yawk.lz4 1.10.4#18015

Merged
xiangfu0 merged 1 commit intoapache:masterfrom
xiangfu0:fix-lz4-java-version
Mar 28, 2026
Merged

Migrate lz4-java from org.lz4 1.8.0 to at.yawk.lz4 1.10.4#18015
xiangfu0 merged 1 commit intoapache:masterfrom
xiangfu0:fix-lz4-java-version

Conversation

@xiangfu0
Copy link
Copy Markdown
Contributor

@xiangfu0 xiangfu0 commented Mar 28, 2026
edited
Loading

Summary

Migrates lz4-java from org.lz4:lz4-java:1.8.0 to at.yawk.lz4:lz4-java:1.10.4. The library has moved to at.yawk.lz4 coordinates with active maintenance. Version 1.10.4 fixes both Dependabot alerts:

The Java package names (net.jpountz.lz4 / org.lz4) remain unchanged so no source code changes are needed.

Test plan

  • Verify Maven build succeeds
  • Run pinot-segment-local unit tests (LZ4 compression paths)

🤖 Generated with Claude Code

@xiangfu0 @claude
Migrate lz4-java from org.lz4:lz4-java 1.8.0 to at.yawk.lz4:lz4-java …
b99c769 
…1.10.4

The lz4-java library has moved to at.yawk.lz4 coordinates with active
maintenance. Version 1.10.4 fixes both Dependabot alerts:
- apache#299 CVE-2025-12183: OOB memory operations causing DoS (fixed in 1.8.1)
- apache#300 CVE-2025-66566: information leak in safe decompressor (fixed in 1.10.1)

The package names (net.jpountz.lz4 / org.lz4) remain unchanged so no
Java source changes are needed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@xiangfu0 xiangfu0 force-pushed the fix-lz4-java-version branch from b14575d to b99c769 Compare March 28, 2026 01:58
@xiangfu0 xiangfu0 changed the title Bump lz4-java from 1.8.0 to 1.8.1 to fix CVE-2025-12183 Migrate lz4-java from org.lz4 1.8.0 to at.yawk.lz4 1.10.4 Mar 28, 2026
@xiangfu0 xiangfu0 added the dependencies Pull requests that update a dependency file label Mar 28, 2026
Copilot AI reviewed Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the project’s LZ4 dependency coordinates/version to use the actively maintained at.yawk.lz4:lz4-java artifact, addressing the CVE-related Dependabot alerts without requiring source changes (package names remain net.jpountz.lz4).

Changes:

  • Bump lz4-java version property from 1.8.0 to 1.10.4.
  • Switch Maven coordinates from org.lz4:lz4-java to at.yawk.lz4:lz4-java in dependency management and module dependencies.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
pom.xml Updates lz4-java.version and the dependencyManagement entry to the new at.yawk.lz4 groupId.
pinot-common/pom.xml Updates the direct dependency declaration to at.yawk.lz4 so it resolves via the root’s dependencyManagement.

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Mar 28, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.31%. Comparing base (cfd7268) to head (b99c769).
⚠️ Report is 4 commits behind head on master.

Additional details and impacted files 
@@             Coverage Diff              @@
##             master   #18015      +/-   ##
============================================
+ Coverage     63.27%   63.31%   +0.04%     
  Complexity     1543     1543              
============================================
  Files          3200     3200              
  Lines        194074   194149      +75     
  Branches      29883    29910      +27     
============================================
+ Hits         122792   122930     +138     
+ Misses        61637    61570      -67     
- Partials       9645     9649       +4
Flag Coverage Δ
custom-integration1 100.00% <ø> (ø)
integration 100.00% <ø> (ø)
integration1 100.00% <ø> (ø)
integration2 0.00% <ø> (ø)
java-11 63.24% <ø> (+<0.01%) ⬆️
java-21 63.29% <ø> (+7.81%) ⬆️
temurin 63.31% <ø> (+0.04%) ⬆️
unittests 63.31% <ø> (+0.04%) ⬆️
unittests1 55.54% <ø> (+0.04%) ⬆️
unittests2 34.21% <ø> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@xiangfu0 xiangfu0 merged commit 6c99b6b into apache:master Mar 28, 2026
20 checks passed
@xiangfu0 xiangfu0 deleted the fix-lz4-java-version branch March 30, 2026 10:17
xiangfu0 added a commit to xiangfu0/pinot that referenced this pull request Mar 30, 2026
@xiangfu0 @jineshparakh
Migrate lz4-java from org.lz4:lz4-java 1.8.0 to at.yawk.lz4:lz4-java …
42ce629 
…1.10.4 (apache#18015)

Auto-merged by automated PR review bot.
xiangfu0 added a commit to xiangfu0/pinot that referenced this pull request Mar 30, 2026
@xiangfu0
Merge pull request apache#472 from startreedata/lz4_failure
cdc6d3a 
cherry-pick: Migrate lz4-java from org.lz4:lz4-java 1.8.0 to at.yawk.lz4:lz4-java1.10.4 (apache#18015)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@yashmayya yashmayya yashmayya approved these changes

@Jackie-Jiang Jackie-Jiang Awaiting requested review from Jackie-Jiang

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@xiangfu0 @codecov-commenter @yashmayya