Remove commons compression at project level. (#344)

awslabs · May 17, 2024 · 2c79afe · 2c79afe
1 parent 8596e42
commit 2c79afe
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 12 deletions.
diff --git a/avro-flink-serde/pom.xml b/avro-flink-serde/pom.xml
@@ -149,11 +149,6 @@
                 </exclusion>
             </exclusions>
         </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-compress</artifactId>
-            <version>1.21</version>
-        </dependency>
 
         <dependency>
             <groupId>org.apache.flink</groupId>

diff --git a/common/pom.xml b/common/pom.xml
@@ -89,10 +89,6 @@
                 </exclusion>
             </exclusions>
         </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-compress</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>

diff --git a/pom.xml b/pom.xml
@@ -88,7 +88,6 @@
         <mbknor.jsonschema.converter.version>1.0.39</mbknor.jsonschema.converter.version>
         <everit.json.schema.version>1.14.2</everit.json.schema.version>
         <classgraph.version>4.8.120</classgraph.version>
-        <commons.compress.version>1.21</commons.compress.version>
         <commons.lang.version>3.8.1</commons.lang.version>
         <jackson.version>2.12.2</jackson.version>
         <!-- Protobuf -->
@@ -168,12 +167,18 @@
                 <groupId>org.apache.avro</groupId>
                 <artifactId>avro</artifactId>
                 <version>${avro.version}</version>
+                <exclusions>
+                  <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-compress</artifactId>
+                  </exclusion>
+               </exclusions>
             </dependency>
-            <!-- Temporarily adding dependency on a transitive dependency to fix security bug in underlying library. Remove when dependency is upgraded. -->
+            <!-- Exclude commons-compress globally due to vulns -->
             <dependency>
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-compress</artifactId>
-                <version>${commons.compress.version}</version>
+                <scope>provided</scope>
             </dependency>
             <dependency>
                 <groupId>org.apache.avro</groupId>