override apache avro to 1.11.4 to avoid critical vuln

guardian / grid

The Guardian’s image management system

https://www.theguardian.com/info/developer-blog/2015/aug/12/open-sourcing-grid-image-service

Apache License 2.0

1.44k stars 121 forks source link

override apache avro to 1.11.4 to avoid critical vuln #4371

Closed andrew-nowak closed 1 week ago

andrew-nowak commented 1 week ago

What does this change?

amazon-kinesis-client 2.4.2 brings in a version of apache avro with a critical vulnerability - but that is the latest version of kcl that depends on a v1 of slf4j - easier to override the version of avro for now (if it works) than untangling the slf4j upgrade.

How should a reviewer test this change?

How can success be measured?

Who should look at this?

Tested? Documented?

[ ] locally by committer
[ ] locally by Guardian reviewer
[x] on the Guardian's TEST environment
[ ] relevant documentation added or amended (if needed)

github-actions[bot] commented 1 week ago

Deploy build 12911 to TEST

All deployment options

- [Deploy build 12911 to TEST](https://riffraff.gutools.co.uk/deployment/deployAgain?project=media-service%3A%3Agrid%3A%3Aall&build=12911&stage=TEST&updateStrategy=MostlyHarmless&action=deploy) - [Deploy parts of build 12911 to TEST by previewing it first](https://riffraff.gutools.co.uk/preview/yaml?project=media-service%3A%3Agrid%3A%3Aall&build=12911&stage=TEST&updateStrategy=MostlyHarmless)

From guardian/actions-riff-raff.

prout-bot commented 1 week ago

Seen on auth, usage, image-loader, metadata-editor, thrall, leases, cropper, collections, media-api, kahuna (merged by @andrew-nowak 8 minutes and 44 seconds ago) Please check your changes!