chore(deps): bump netty-bom 4.1.133.Final → 4.2.13.Final#28026
Open
sonika-shah wants to merge 2 commits into
Open
chore(deps): bump netty-bom 4.1.133.Final → 4.2.13.Final#28026sonika-shah wants to merge 2 commits into
sonika-shah wants to merge 2 commits into
Conversation
Ships the literal patched version for GHSA-rwm7-x88c-3g2p / CVE-2026-42577 instead of relying on the per-direct-dep epoll exclusion used in the 1.12.7 hotfix PR (open-metadata#28010). After this bump: - netty-transport-native-epoll resolves to 4.2.13.Final (out of GHSA's < 4.2.13.Final vulnerable range — AWS Inspector finding cleared by GAV) - Native epoll perf preserved on Linux x86_64 (no NIO fallback) - Companion follow-up: drop the <exclusion> blocks added in open-metadata#28010 Empirical validation (see open-metadata/openmetadata-collate#4046): - mvn test on openmetadata-service: 5,289 tests, 0 failures - Standalone Azure SDK → reactor-netty 1.2.16 → real HTTPS request: HTTP 200 - Lettuce 6.7.1 on netty 4.2.13.Final: 5/5 tests including 10k concurrent ops and 1k pub/sub messages (zero loss) - OM dist tarball ships netty-transport-native-epoll-4.2.13.Final - gRPC isolated via grpc-netty-shaded (own relocated netty) Fixes open-metadata/openmetadata-collate#4046 (tracking issue for the 3-repo bump).
github-actions
Bot
added
backend
safe to test
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the root Maven dependency management to import a newer io.netty:netty-bom, aiming to clear the netty-transport-native-epoll security finding (CVE-2026-42577 / GHSA-rwm7-x88c-3g2p) by moving off the flagged Netty line.
Changes:
- Bump
io.netty:netty-bomfrom4.1.133.Finalto4.2.13.Finalin the rootpom.xml.
Code Review ✅ ApprovedBumps netty-bom to 4.2.13.Final to remediate CVE-2026-42577 and includes an unrelated bug fix to exclude temporal table period columns from autoClassification. No issues found. OptionsDisplay: compact → Showing less information. Comment with these commands to change:
Was this helpful? React with 👍 / 👎 | Gitar |
|
Contributor
🟡 Playwright Results — all passed (22 flaky)✅ 4063 passed · ❌ 0 failed · 🟡 22 flaky · ⏭️ 86 skipped
🟡 22 flaky test(s) (passed on retry)
How to debug locally# Download playwright-test-results-<shard> artifact and unzip
npx playwright show-trace path/to/trace.zip # view trace |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes https://github.com/open-metadata/openmetadata-collate/issues/4046
Bumps
io.netty:netty-bomfrom 4.1.133.Final → 4.2.13.Final.This is the long-term follow-up to PR #28010 (1.12.7 hotfix). Once this bump lands, AWS Inspector finding CVE-2026-42577 / GHSA-rwm7-x88c-3g2p (
netty-transport-native-epoll) is cleared by GAV — the per-direct-dep<exclusion>blocks added in #28010 can then be removed.Why not in 1.12.7?
The 4.1.x → 4.2.x bump touches the cross-cutting Netty BOM that's transitively used by every HTTP/IO stack in the build (reactor-netty / Azure SDK / Lettuce / Spring / Jackson). It's not safe to ship under hotfix-cadence review. The 1.12.7 PR uses targeted exclusions on the three direct Azure deps; this PR is the proper fix.
Validation done locally
mvn test(openmetadata-service)Follow-up
After this lands, a follow-up PR removes the
netty-transport-native-epoll<exclusion>blocks fromopenmetadata-service/pom.xml(azure-security-keyvault-secrets, azure-identity, azure-storage-blob, azure-identity-extensions).Fixes open-metadata/openmetadata-collate#4046
Summary by Gitar
simplejavamailto8.12.6andreactor-netty-httpto1.2.16.libthriftto0.23.0to addressCVE-2026-43869.6ac135dc.This will update automatically on new commits.