From 9b586ffeb0e6704ac02c38dd86ba2be6e87b7ec2 Mon Sep 17 00:00:00 2001
From: Shahim Sharafudeen <shahim.ayathil@gmail.com>
Date: Mon, 18 Aug 2025 21:58:31 +0530
Subject: [PATCH] Upgrade helix-core to 1.4.3 to address CVE-2023-38647

---
 pom.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pom.xml b/pom.xml
index 52ed78bd8ad51..125843ff6dca8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -90,6 +90,7 @@
         <dep.commons.lang3.version>3.18.0</dep.commons.lang3.version>
         <dep.guice.version>6.0.0</dep.guice.version>
         <dep.arrow.version>17.0.0</dep.arrow.version>
+        <dep.helix.version>1.4.3</dep.helix.version>
 
         <dep.pos.classloader.module-name.suffix>2</dep.pos.classloader.module-name.suffix>
 
@@ -2245,6 +2246,13 @@
                 <version>${dep.pinot.version}</version>
             </dependency>
 
+            <!-- Upgrades the transitive helix-core version used by the Presto Pinot driver to address CVE-2023-38647 -->
+            <dependency>
+                <groupId>org.apache.helix</groupId>
+                <artifactId>helix-core</artifactId>
+                <version>${dep.helix.version}</version>
+            </dependency>
+
             <dependency>
                 <groupId>org.xerial.snappy</groupId>
                 <artifactId>snappy-java</artifactId>