From b5c48e82f6f120936c8f560f088a61e029fbaf19 Mon Sep 17 00:00:00 2001
From: Lari Hotari <lhotari@apache.org>
Date: Fri, 22 May 2026 13:00:08 +0300
Subject: [PATCH] [improve][build] Remove kotlin-stdlib version override;
 upgrade okhttp3 5.3.2 and okio 3.17.0

Closes #25763

The explicit kotlin-stdlib 1.8.20 override was added in PR #13065 to
mitigate CVE-2020-29582, which only affects Kotlin < 1.4.21. With
okhttp3 5.x and okio 3.x, the transitive kotlin-stdlib is already on
a modern major (2.x), so the override is no longer needed and was
pinning kotlin-stdlib to a version that is end-of-life.

- okhttp3: 5.3.1 -> 5.3.2 (also resolves a 5.3.1/5.3.2 split where
  OpenTelemetry's opentelemetry-exporter-sender-okhttp 1.62.0 was
  bringing 5.3.2 transitively while the BOM forced 5.3.1)
- okio: 3.16.3 -> 3.17.0
- Remove kotlin-stdlib version pin (now resolves to 2.2.21 via
  okio/okhttp transitive deps)
- Remove jetbrains-annotations version pin (resolves naturally to 13.0
  via kotlin-stdlib; not forced)
- Drop explicit distLib declarations for kotlin-stdlib,
  kotlin-stdlib-common, and annotations in the server distribution
  build; they now flow in transitively. kotlin-stdlib-common is no
  longer published as a separate artifact in Kotlin 2.x.
- Update LICENSE.bin.txt to reflect the new versions
---
 distribution/server/build.gradle.kts             | 7 -------
 distribution/server/src/assemble/LICENSE.bin.txt | 9 ++++-----
 gradle/libs.versions.toml                        | 7 ++-----
 3 files changed, 6 insertions(+), 17 deletions(-)

diff --git a/distribution/server/build.gradle.kts b/distribution/server/build.gradle.kts
index 1b2490b825d78..dc3e6e3703dae 100644
--- a/distribution/server/build.gradle.kts
+++ b/distribution/server/build.gradle.kts
@@ -29,10 +29,8 @@ tasks.named("jar") { enabled = false }
 
 val bookkeeperVersion: String = libs.versions.bookkeeper.get()
 val zookeeperVersion: String = libs.versions.zookeeper.get()
-val kotlinStdlibVersion: String = libs.versions.kotlin.stdlib.get()
 val nettyTcnativeVersion: String = libs.versions.netty.tcnative.get()
 val audienceAnnotationsVersion: String = libs.versions.audience.annotations.get()
-val jetbrainsAnnotationsVersion: String = libs.versions.jetbrains.annotations.get()
 
 // Configuration for collecting runtime dependencies
 val distLib by configurations.creating {
@@ -168,11 +166,6 @@ dependencies {
         artifact { type = "jar" }
     }
 
-    // Kotlin stdlib and JetBrains annotations (Maven includes these transitively)
-    distLib("org.jetbrains.kotlin:kotlin-stdlib:${kotlinStdlibVersion}")
-    distLib("org.jetbrains.kotlin:kotlin-stdlib-common:${kotlinStdlibVersion}")
-    distLib("org.jetbrains:annotations:${jetbrainsAnnotationsVersion}")
-
     // zookeeper-jute (transitive of zookeeper, but zookeeper itself is excluded)
     distLib("org.apache.zookeeper:zookeeper-jute:${zookeeperVersion}")
 
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
index 5020a180ef486..5241a63ccf243 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -434,14 +434,13 @@ The Apache Software License, Version 2.0
  * Google Error Prone Annotations - com.google.errorprone-error_prone_annotations-2.45.0.jar
  * Apache Thrift - org.apache.thrift-libthrift-0.23.0.jar
  * OkHttp3
-     - com.squareup.okhttp3-logging-interceptor-5.3.1.jar
-     - com.squareup.okhttp3-okhttp-jvm-5.3.1.jar
+     - com.squareup.okhttp3-logging-interceptor-5.3.2.jar
+     - com.squareup.okhttp3-okhttp-jvm-5.3.2.jar
  * Okio
-     - com.squareup.okio-okio-jvm-3.16.3.jar
+     - com.squareup.okio-okio-jvm-3.17.0.jar
  * Javassist -- org.javassist-javassist-3.25.0-GA.jar
  * Kotlin Standard Lib
-     - org.jetbrains.kotlin-kotlin-stdlib-1.8.20.jar
-     - org.jetbrains.kotlin-kotlin-stdlib-common-1.8.20.jar
+     - org.jetbrains.kotlin-kotlin-stdlib-2.2.21.jar
      - org.jetbrains-annotations-13.0.jar
  * gRPC
     - io.grpc-grpc-all-1.75.0.jar
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 7559c5a04ba42..c8a099c4aada5 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -69,8 +69,8 @@ vertx = "4.5.27"
 # Networking / HTTP
 asynchttpclient = "2.15.0"
 conscrypt = "2.5.2"
-okhttp3 = "5.3.1"
-okio = "3.16.3"
+okhttp3 = "5.3.2"
+okio = "3.17.0"
 netty-tcnative = "2.0.77.Final"
 httpcomponents-httpclient = "4.5.13"
 httpcomponents-httpcore = "4.4.15"
@@ -108,9 +108,7 @@ jline3 = "3.21.0"
 jline2 = "2.14.6"
 javassist = "3.25.0-GA"
 rocksdb = "7.9.2"
-kotlin-stdlib = "1.8.20"
 audience-annotations = "0.12.0"
-jetbrains-annotations = "13.0"
 # Misc
 curator = "5.7.1"
 reflections = "0.10.2"
@@ -353,7 +351,6 @@ opencensus-contrib-http-util = { module = "io.opencensus:opencensus-contrib-http
 httpcomponents-httpclient = { module = "org.apache.httpcomponents:httpclient", version.ref = "httpcomponents-httpclient" }
 httpcomponents-httpcore = { module = "org.apache.httpcomponents:httpcore", version.ref = "httpcomponents-httpcore" }
 jakarta-annotation-api = { module = "jakarta.annotation:jakarta.annotation-api", version.ref = "jakarta-annotation" }
-kotlin-stdlib = { module = "org.jetbrains.kotlin:kotlin-stdlib", version.ref = "kotlin-stdlib" }
 snakeyaml = { module = "org.yaml:snakeyaml", version.ref = "snakeyaml" }
 ant = { module = "org.apache.ant:ant", version.ref = "ant" }
 guice = { module = "com.google.inject:guice", version.ref = "guice" }