Skip to content

[FLINK-39139] Update lz4-java to 1.10.3#27535

Merged
pnowojski merged 2 commits into
apache:masterfrom
Nordix:bump-lz4
Feb 23, 2026
Merged

[FLINK-39139] Update lz4-java to 1.10.3#27535
pnowojski merged 2 commits into
apache:masterfrom
Nordix:bump-lz4

Conversation

@eschcam

@eschcam eschcam commented Feb 5, 2026

Copy link
Copy Markdown
Contributor

What is the purpose of the change

lz4-java 1.8.0 has the following CVEs:

It has also been relocated to at.yawk.lz4

Brief change log

  • Update lz4-java to 1.10.3

Verifying this change

Passes local tests

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): yes
  • The public API, i.e., is any changed class annotated with @Public(Evolving): no
  • The serializers: no
  • The runtime per-record code paths (performance sensitive): no
  • Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
  • The S3 file system connector: no

Documentation

  • Does this pull request introduce a new feature? no
  • If yes, how is the feature documented? not applicable

@flinkbot

flinkbot commented Feb 5, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

CI report:

Bot commands The @flinkbot bot supports the following commands:
  • @flinkbot run azure re-run the last Azure build

@eschcam

eschcam commented Feb 5, 2026

Copy link
Copy Markdown
Contributor Author

@flinkbot run azure

@Savonitar Savonitar mentioned this pull request Feb 19, 2026
Closed
Savonitar
Savonitar reviewed Feb 19, 2026
View reviewed changes

@Savonitar Savonitar left a comment
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, thanks for removing the vulnerability!
I have one small comment:
could you please also update flink-dist/src/main/resources/META-INF/NOTICE:20 ?

Apart from that, LGTM.

@github-actions github-actions Bot added the community-reviewed PR has been reviewed by the community. label Feb 20, 2026
@eschcam

eschcam commented Feb 20, 2026

Copy link
Copy Markdown
Contributor Author

Hi, thanks for removing the vulnerability! I have one small comment: could you please also update flink-dist/src/main/resources/META-INF/NOTICE:20 ?

Apart from that, LGTM.

Thanks. I missed that.
Resolved

@eschcam eschcam requested a review from Savonitar February 20, 2026 16:38
Savonitar
Savonitar approved these changes Feb 21, 2026
View reviewed changes

@Savonitar Savonitar left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions github-actions Bot added community-reviewed-LGTM Applied if there are 2 non-committer approves on a PR. (The submitter cannot approve their own PR.) and removed community-reviewed PR has been reviewed by the community. community-reviewed-LGTM Applied if there are 2 non-committer approves on a PR. (The submitter cannot approve their own PR.) labels Feb 21, 2026
@pnowojski pnowojski merged commit e9afe8b into apache:master Feb 23, 2026
@pnowojski

pnowojski commented Feb 23, 2026

Copy link
Copy Markdown
Contributor

@eschcam and @Savonitar , can you make sure this is backported to at least release 2.2 and release 2.1 branches?

@eschcam eschcam deleted the bump-lz4 branch February 23, 2026 14:31
@eschcam

eschcam commented Feb 23, 2026

Copy link
Copy Markdown
Contributor Author

@eschcam and @Savonitar , can you make sure this is backported to at least release 2.2 and release 2.1 branches?

As requested
2.2: #27644
2.1: #27645

I will try to backport to 2.0, 1.20 & 1.19

This was referenced Feb 23, 2026
Merged
Merged
Merged
Merged
Closed
@eschcam

eschcam commented Feb 23, 2026

Copy link
Copy Markdown
Contributor Author

@pnowojski Here are the backports

2.2: #27644
2.1: #27645
2.0: #27646
1.20: #27647
1.19: #27648

@eschcam eschcam changed the title [Hotfix] Update lz4-java to 1.10.3 [FLINK-39139] Update lz4-java to 1.10.3 Feb 23, 2026
@Savonitar

Savonitar commented Feb 25, 2026

Copy link
Copy Markdown
Contributor

@eschcam and @Savonitar , can you make sure this is backported to at least release 2.2 and release 2.1 branches?

Done.

@Savonitar

Savonitar commented Feb 25, 2026

Copy link
Copy Markdown
Contributor

@eschcam AFAIK there are no plans to release 1.19

@eschcam

eschcam commented Feb 26, 2026

Copy link
Copy Markdown
Contributor Author

@eschcam AFAIK there are no plans to release 1.19

The only reason I backported to the 1.19 branch is because I noticed another contributor backporting PRs to it

@eschcam

eschcam commented Feb 26, 2026

Copy link
Copy Markdown
Contributor Author

@Savonitar Is there any reason why #27646 wasn't merged?

@Savonitar

Savonitar commented Feb 26, 2026

Copy link
Copy Markdown
Contributor

@eschcam

The only reason I backported to the 1.19 branch is because I noticed another contributor backporting PRs to it

Docs are pushed to the website automatically and don't require us to cut a new official Flink release, whereas bug fixes do.

@Savonitar Is there any reason why #27646 wasn't merged?

We’ve just merged it. Thanks for the fix and the backports!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@Savonitar Savonitar Savonitar approved these changes

@avi-sanwal avi-sanwal avi-sanwal approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

community-reviewed-LGTM Applied if there are 2 non-committer approves on a PR. (The submitter cannot approve their own PR.)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@eschcam @flinkbot @pnowojski @Savonitar @avi-sanwal