Thanks for the release note! Minor formatting nit.

== RELEASE NOTES ==

Security Changes
* Upgrade helix-core to 1.4.3 to address `CVE-2023-38647  <https://github.com/advisories/GHSA-jhcr-hph9-g7wm>`_.

@ShahimSharafudeen, thank you. Why don't we add this to the root pom's DependencyManagement?

@imjalpreet - This transitive dependency is only used in the presto-pinot modules, which is why I added it directly to those modules instead of the root pom.xml

Thanks for the release note! Minor formatting nit.

== RELEASE NOTES ==

Security Changes
* Upgrade helix-core to 1.4.3 to address `CVE-2023-38647  <https://github.com/advisories/GHSA-jhcr-hph9-g7wm>`_.

Thanks @steveburnett for the correction. I've made the changes accordingly.

This transitive dependency is only used in the presto-pinot modules, which is why I added it directly to those modules instead of the root pom.xml

@ShahimSharafudeen IMO, I’d still suggest adding it to the root POM. This way, any future additions to other modules will be automatically covered, and it also simplifies version management across multiple modules.

This transitive dependency is only used in the presto-pinot modules, which is why I added it directly to those modules instead of the root pom.xml

@ShahimSharafudeen IMO, I’d still suggest adding it to the root POM. This way, any future additions to other modules will be automatically covered, and it also simplifies version management across multiple modules.

@imjalpreet - Agreed with your point. I’ve moved the dependency to the root POM to ensure future modules are automatically covered and to simplify version management across the project.

Is there an update to the Pinot driver which fixes this CVE?

@tdcmeehan, I had checked this earlier. There hasn't been any new version released since March 2023, and the latest version is still using helix-core:1.0.4.

https://mvnrepository.com/artifact/org.apache.pinot/presto-pinot-driver/0.12.1

Can we create an issue in Pinot and link to that issue here? And potentially contribute this change upstream to the Pinot driver?

@tdcmeehan, the presto-pinot-driver was deprecated by Pinot in 2023 when they moved to a higher JDK version, but at that time we were still on JDK 8. Instead of continuing with the presto-pinot-driver, we needed to upgrade to the latest Pinot libraries, but the Java version held us back until now.

This PR was originally intended as a temporary CVE fix for the existing implementation we had added at IBM before upgrading to JDK 17.

Now that we’re on Java 17, the Pinot library upgrade is already underway. We’re moving to the latest libraries and removing the deprecated presto-pinot-driver. I checked the status, and it’s further along than I initially thought when I reviewed a couple of weeks back, so it might make sense to hold off on merging this PR and instead complete the upgrade, especially since that process already includes bringing the helix-core:1.4.3 dependency into Presto.

Pinot library upgrade PR: #25785

Thanks, @imjalpreet , for your clarification on the Pinot driver change during my absence.

@tdcmeehan @imjalpreet — Could you please confirm whether this PR is still relevant to keep open, since the same fix is already included in the Pinot library upgrade PR?

@ShahimSharafudeen, we can close this in favour of #25785