upgrade xstream to 1.4.20 to pick up fixes for 2 CVEs

pjfanning commented 6 months ago

Issues

[X] My PR addresses the following Helix issues and references them in the PR description:

resolves #2764

Description

xstream 1.4.19 is insecure - see https://mvnrepository.com/artifact/com.thoughtworks.xstream/xstream

Tests

[ ] The following tests are written for this issue:

(List the names of added unit/integration tests)

The following is the result of the "mvn test" command on the appropriate module:

(If CI test fails due to known issue, please specify the issue and test PR locally. Then copy & paste the result of "mvn test" to here.)

Changes that Break Backward Compatibility (Optional)

My PR contains changes that break backward compatibility or previous assumptions for certain methods or API. They include:

(Consider including all behavior changes for public methods or API. Also include these changes in merge description so that other developers are aware of these changes. This allows them to make relevant code changes in feature branches accounting for the new method/API behavior.)

Documentation (Optional)

In case of new functionality, my PR adds documentation in the following wiki page:

(Link the GitHub wiki you added)

Commits

My commits all reference appropriate Apache Helix GitHub issues in their subject lines. In addition, my commits follow the guidelines from "How to write a good git commit message":
1. Subject is separated from body by a blank line
2. Subject is limited to 50 characters (not including Jira issue reference)
3. Subject does not end with a period
4. Subject uses the imperative mood ("add", not "adding")
5. Body wraps at 72 characters
6. Body explains "what" and "why", not "how"

Code Quality

My diff has been formatted using helix-style.xml (helix-style-intellij.xml if IntelliJ IDE is used)

junkaixue commented 6 months ago

The build fails @pjfanning

pjfanning commented 6 months ago

@junkaixue the build failure

Error:  Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.10.1:compile (default-compile) on project rabbitmq-consumer-group: Compilation failure
Error:  /home/runner/work/helix/helix/recipes/rabbitmq-consumer-group/src/main/java/org/apache/helix/recipes/rabbitmq/ConsumerThread.java:[27,27] cannot find symbol
Error:    symbol:   class QueueingConsumer
Error:    location: package com.rabbitmq.client

I did not change rabbitmq jar.

pjfanning commented 6 months ago

@junkaixue it looks like the helix master branch build is just broken - see https://github.com/apache/helix/commits/master/

there was a rabbitmq dependabot merge

junkaixue commented 6 months ago

Yeah. Just found that as well. Had a fix due to dependency bump. Let me rerun your PR CI.

apache / helix