From 36d2c293291de7924fcdc69761714f8b2737d1d4 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts@users.noreply.github.com>
Date: Sat, 12 Jul 2025 07:22:32 +0000
Subject: [PATCH] airflow-3/3.0.2-r5: fix GHSA-j288-q9x7-2f5v
 <!--ci-cve-scan:must-fix: GHSA-j288-q9x7-2f5v-->

---
 airflow-3.yaml              | 4 +++-
 airflow-3/pombump-deps.yaml | 4 ++++
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 airflow-3/pombump-deps.yaml

diff --git a/airflow-3.yaml b/airflow-3.yaml
index 51ec63d7b82..b957ea0d25a 100644
--- a/airflow-3.yaml
+++ b/airflow-3.yaml
@@ -1,7 +1,7 @@
 package:
   name: airflow-3
   version: "3.0.2"
-  epoch: 5
+  epoch: 6
   description: Platform to programmatically author, schedule, and monitor workflows
   options:
     #  There is a dependency on libarrow.so although it
@@ -85,6 +85,8 @@ pipeline:
       tag: ${{package.version}}
       expected-commit: 79838baef32afab08816bba958b4c1622cf162d6
 
+  - uses: maven/pombump
+
   - working-directory: ./airflow-core/src/airflow/ui
     runs: |
       # front-end build
diff --git a/airflow-3/pombump-deps.yaml b/airflow-3/pombump-deps.yaml
new file mode 100644
index 00000000000..ccfca98f859
--- /dev/null
+++ b/airflow-3/pombump-deps.yaml
@@ -0,0 +1,4 @@
+patches:
+  - groupId: org.apache.commons
+    artifactId: commons-lang3
+    version: 3.18.0