[SPARK-54597][BUILD] Upgrade lz4-java to 1.10.0
#53327
Conversation
|
This is a dependency-only PR, cc @dbtsai , @HyukjinKwon , @LuciferYang , @yawkat , @SteNicholas . To be clear, the security issue is not a scope of this PR. |
|
Thank you, @HyukjinKwon . I'm going to add one more commit to ban this library explicitly. |
|
All tests passed at the first commit and the subsequent two comments are only about excluding the transitive dependencies to make it sure. 
|
|
@dongjoon-hyun, does it still need to switch fastDecompressor to safeDecompressor after upgrade? |
Exactly, that's @dbtsai 's contribution, @SteNicholas . This PR doesn't aim to do that. He will rebase his PR after merging this independently. |
|
Thank you, @LuciferYang ! I'll update it. |
|
@dongjoon-hyun, I just confirm whether to switch fastDecompressor to safeDecompressor after upgrade to 1.10.0. |
@SteNicholas What I can say here is that it's beyond of this PR. Technically, we don't know what decision we are going to make eventually on the following yet because it's still |
|
Please don't get me wrong. I'm trying to help that PR move forward by reducing the gap. |
|
LGTM ~ |
|
Thank you all! Merged to master for Apache Spark 4.2.0 (for now) |
4 participants
What changes were proposed in this pull request?
This PR aims to upgrade
lz4-javato 1.10.0 and exclude the legacy groupID version.Why are the changes needed?
Since
lz4-javachanged its repository, we had better depend on the live repository for future maintenance.Does this PR introduce any user-facing change?
No Spark behavior change.
How was this patch tested?
Pass the CIs.
Was this patch authored or co-authored using generative AI tooling?
No.