Skip to content

[codex] Upgrade Jetty dependencies to 12#18647

Open
xiangfu0 wants to merge 1 commit into
apache:masterfrom
xiangfu0:codex/jetty-12-cve-2026-2332
Open

[codex] Upgrade Jetty dependencies to 12#18647
xiangfu0 wants to merge 1 commit into
apache:masterfrom
xiangfu0:codex/jetty-12-cve-2026-2332

Conversation

@xiangfu0
Copy link
Copy Markdown
Contributor

@xiangfu0 xiangfu0 commented Jun 2, 2026
edited
Loading

Summary

  • upgrade managed Jetty coordinates from 9.4.x to Jetty 12.0.35, including Jetty EE8 compatibility artifacts used by optional Hadoop/Spark/Pulsar dependency paths
  • ban Jetty < 12 and hadoop-client-runtime in Maven enforcer rules so the vulnerable Jetty 9 runtime cannot re-enter transitively
  • add pinot-input-format/pinot-hadoop-shaded-xml as a small shaded support artifact for Hadoop-relocated Commons/Woodstox/Guava/Protobuf classes that were previously embedded in hadoop-client-runtime
  • update binary license inventory for the Jetty 12 and Woodstox/StAX dependency versions

User Manual / Compatibility

  • No Pinot table config, ingestion config, or query syntax changes are required.
  • Existing Hadoop, Spark, Parquet, HDFS, and Pulsar plugin users should keep using the same plugin coordinates and table configs. The change is internal to the managed dependency graph.
  • Sample table config/query: not applicable for this security dependency migration. Pinot service HTTP endpoints still use Grizzly/Jersey, not Jetty.

Tests

  • ./mvnw -pl pinot-plugins/pinot-input-format/pinot-hadoop-shaded-xml package -DskipTests
  • verified helper jar contains Hadoop-relocated Configuration, UnmodifiableMap, Guava Maps, and Protobuf Message classes
  • rm -rf pinot-plugins/pinot-batch-ingestion/pinot-batch-ingestion-spark-3/target && ./mvnw -pl pinot-plugins/pinot-batch-ingestion/pinot-batch-ingestion-spark-3 -am -Dtest=SparkSegmentGenerationJobRunnerTest -Dsurefire.failIfNoSpecifiedTests=false test
  • ./mvnw -pl pinot-tools,pinot-connectors/pinot-spark-3-connector,pinot-integration-tests,pinot-plugins/pinot-file-system/pinot-hdfs,pinot-plugins/pinot-input-format/pinot-orc,pinot-plugins/pinot-input-format/pinot-parquet,pinot-plugins/pinot-batch-ingestion/pinot-batch-ingestion-hadoop,pinot-plugins/pinot-batch-ingestion/pinot-batch-ingestion-spark-3,pinot-plugins/pinot-stream-ingestion/pinot-pulsar -am dependency:tree -Dincludes=org.apache.hadoop:hadoop-client-runtime,org.eclipse.jetty,org.eclipse.jetty.websocket,org.eclipse.jetty.ee8 -DskipTests
  • ./mvnw -B -ntp -T1C enforcer:enforce -DskipTests
  • ./mvnw -B -ntp -T1C enforcer:enforce -Pdependency-verifier -DskipTests
  • ./mvnw spotless:apply -pl .,pinot-bom,pinot-plugins,pinot-plugins/pinot-input-format,pinot-plugins/pinot-input-format/pinot-hadoop-shaded-xml,pinot-plugins/pinot-input-format/pinot-parquet,pinot-plugins/pinot-batch-ingestion/pinot-batch-ingestion-spark-3,pinot-connectors/pinot-spark-3-connector,pinot-integration-tests
  • ./mvnw license:format -pl .,pinot-bom,pinot-plugins,pinot-plugins/pinot-input-format,pinot-plugins/pinot-input-format/pinot-hadoop-shaded-xml,pinot-plugins/pinot-input-format/pinot-parquet,pinot-plugins/pinot-batch-ingestion/pinot-batch-ingestion-spark-3,pinot-connectors/pinot-spark-3-connector,pinot-integration-tests
  • ./mvnw checkstyle:check -pl .,pinot-bom,pinot-plugins,pinot-plugins/pinot-input-format,pinot-plugins/pinot-input-format/pinot-hadoop-shaded-xml,pinot-plugins/pinot-input-format/pinot-parquet,pinot-plugins/pinot-batch-ingestion/pinot-batch-ingestion-spark-3,pinot-connectors/pinot-spark-3-connector,pinot-integration-tests
  • ./mvnw license:check -pl .,pinot-bom,pinot-plugins,pinot-plugins/pinot-input-format,pinot-plugins/pinot-input-format/pinot-hadoop-shaded-xml,pinot-plugins/pinot-input-format/pinot-parquet,pinot-plugins/pinot-batch-ingestion/pinot-batch-ingestion-spark-3,pinot-connectors/pinot-spark-3-connector,pinot-integration-tests

@xiangfu0 xiangfu0 force-pushed the codex/jetty-12-cve-2026-2332 branch 2 times, most recently from 4606b36 to b923c8b Compare June 2, 2026 00:37
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Jun 2, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.39%. Comparing base (3b9a26f) to head (b266eb5).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files 
@@             Coverage Diff              @@
##             master   #18647      +/-   ##
============================================
- Coverage     64.40%   64.39%   -0.01%     
  Complexity     1291     1291              
============================================
  Files          3365     3365              
  Lines        208058   208072      +14     
  Branches      32480    32481       +1     
============================================
+ Hits         133992   133998       +6     
- Misses        63295    63298       +3     
- Partials      10771    10776       +5
Flag Coverage Δ
custom-integration1 100.00% <ø> (ø)
integration 100.00% <ø> (ø)
integration1 100.00% <ø> (ø)
integration2 0.00% <ø> (ø)
java-21 64.39% <ø> (-0.01%) ⬇️
temurin 64.39% <ø> (-0.01%) ⬇️
unittests 64.39% <ø> (-0.01%) ⬇️
unittests1 56.81% <ø> (+<0.01%) ⬆️
unittests2 37.13% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@xiangfu0 xiangfu0 force-pushed the codex/jetty-12-cve-2026-2332 branch 2 times, most recently from 54c71fb to 6a10ece Compare June 2, 2026 02:44
@xiangfu0 xiangfu0 marked this pull request as ready for review June 2, 2026 03:59
@xiangfu0 xiangfu0 force-pushed the codex/jetty-12-cve-2026-2332 branch from 6a10ece to b266eb5 Compare June 2, 2026 05:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xiangfu0 @codecov-commenter