[CELEBORN-1708] Bump protobuf version from 3.21.7 to 3.25.5

apache / celeborn

Apache Celeborn is an elastic and high-performance service for shuffle and spilled data.

https://celeborn.apache.org/

Apache License 2.0

893 stars 361 forks source link

[CELEBORN-1708] Bump protobuf version from 3.21.7 to 3.25.5 #2898

Closed turboFei closed 1 week ago

turboFei commented 2 weeks ago

What changes were proposed in this pull request?

Bump protobuf from 3.21.7 to 3.25.5.

Why are the changes needed?

To fix CVE: https://github.com/advisories/GHSA-735f-pc8j-v9w8

Does this PR introduce any user-facing change?

No.

How was this patch tested?

GA.

pan3793 commented 1 week ago

the recent protobuf java versions introduced "runtime jar version" and "generated code version" check, it may affect the case: if we pull a thrid-party dependency that contains the generated protobuf code, we should be careful on bumping protobuf runtime jars version. For the Celeborn case, please also test Ratis gRPC mode when bumping protobuf versions.

turboFei commented 1 week ago

For ratis:

The protobuf is shaded and the shaded.protobuf.version is 3.24.4 in ratis 3.1.1 and 3.1.2 https://github.com/apache/ratis/blob/45a30d890451a44ec918fdee2732c5fff80ea17c/pom.xml#L216C1-L217C1

Will test celeborn.master.ha.ratis.raft.rpc.type=grpc.

turboFei commented 1 week ago

@pan3793 how about adding the UT with grpc mode?

The protobuf is shaded in ratis and the shaded.protobuf.version is 3.24.4 in ratis 3.1.1 and 3.1.2.

pan3793 commented 1 week ago

it should has no issue if ratis uses a shaded protobuf