Skip to content

[fix][sec] Eliminate commons-collections dependency #25024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lhotari merged 5 commits into from
Nov 27, 2025
Merged

[fix][sec] Eliminate commons-collections dependency #25024

lhotari merged 5 commits into from
Nov 27, 2025

Conversation

@lhotari
Copy link
Member

@lhotari lhotari commented Nov 27, 2025
edited
Loading

Motivation

commons-collections is consider vulnerable in Sonatype. Issue is https://issues.apache.org/jira/browse/COLLECTIONS-701 . This problem is fixed in commons-collections4.
commons-collections gets pulled in to Pulsar from BookKeeper dependencies where it's an optional dependency of commons-beanutils ("The main commons-beanutils.jar has an optional dependency on Commons Collections" source).
It's also a dependency of org.apache.bookkeeper:stream-storage-java-client where it gets pulled in as a transitive dependency of hadoop-common. hadoop-common version 3.4.2 has replaced commons-collections with commons-collections4 to address the vulnerability.

Modifications

  • exclude commons-collections from transitive dependencies of commons-beanutils
  • exclude commons-collections from transitive dependencies of org.apache.bookkeeper:stream-storage-java-client
  • upgrade hadoop version to 3.4.2 since it replaces commons-collections with commons-collections4

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@lhotari lhotari added this to the 4.2.0 milestone Nov 27, 2025
@lhotari lhotari requested a review from Technoboy- November 27, 2025 10:39
@lhotari lhotari self-assigned this Nov 27, 2025
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Nov 27, 2025
@lhotari lhotari mentioned this pull request Nov 27, 2025
Closed
15 tasks
@lhotari lhotari merged commit 081b448 into apache:master Nov 27, 2025
100 of 107 checks passed
@codecov-commenter
Copy link

codecov-commenter commented Nov 27, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.31%. Comparing base (6849824) to head (18d53f9).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@              Coverage Diff              @@
##             master   #25024       +/-   ##
=============================================
+ Coverage     38.44%   74.31%   +35.87%     
- Complexity    13235    34065    +20830     
=============================================
  Files          1863     1920       +57     
  Lines        146149   150313     +4164     
  Branches      16972    17459      +487     
=============================================
+ Hits          56183   111711    +55528     
+ Misses        82305    29682    -52623     
- Partials       7661     8920     +1259
Flag Coverage Δ
inttests 26.35% <ø> (+0.07%) ⬆️
systests 22.91% <ø> (+0.03%) ⬆️
unittests 73.84% <ø> (+39.20%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1425 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

lhotari added a commit that referenced this pull request Nov 27, 2025
@lhotari
[fix][sec] Eliminate commons-collections dependency (#25024)
030d6ea 
(cherry picked from commit 081b448)
lhotari added a commit that referenced this pull request Nov 27, 2025
@lhotari
[fix][sec] Eliminate commons-collections dependency (#25024)
6ed6a99 
(cherry picked from commit 081b448)
ganesh-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 1, 2025
@lhotari @ganesh-ctds
[fix][sec] Eliminate commons-collections dependency (apache#25024)
42a29f5 
(cherry picked from commit 081b448)
(cherry picked from commit 030d6ea)
ganesh-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 1, 2025
@lhotari @ganesh-ctds
[fix][sec] Eliminate commons-collections dependency (apache#25024)
31e4d3b 
(cherry picked from commit 081b448)
(cherry picked from commit 030d6ea)
ganesh-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 2, 2025
@lhotari @ganesh-ctds
[fix][sec] Eliminate commons-collections dependency (apache#25024)
f469aba 
(cherry picked from commit 081b448)
(cherry picked from commit 030d6ea)
ganesh-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 2, 2025
@lhotari @ganesh-ctds
[fix][sec] Eliminate commons-collections dependency (apache#25024)
491b4a2 
(cherry picked from commit 081b448)
(cherry picked from commit 030d6ea)
ganesh-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 2, 2025
@lhotari @ganesh-ctds
[fix][sec] Eliminate commons-collections dependency (apache#25024)
805e72c 
(cherry picked from commit 081b448)
(cherry picked from commit 030d6ea)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Technoboy- Technoboy- Technoboy- approved these changes

@BewareMyPower BewareMyPower BewareMyPower approved these changes

Assignees

@lhotari lhotari

Labels

cherry-picked/branch-4.0 cherry-picked/branch-4.1 doc-not-needed Your PR changes do not impact docs ready-to-test release/4.0.9 release/4.1.3

Projects

None yet

Milestone

4.2.0

Development

Successfully merging this pull request may close these issues.

4 participants

@lhotari @codecov-commenter @Technoboy- @BewareMyPower