- Jetty 12.0.x versions greater than 12.0.9 do not exist in Maven Central
- Attempted 12.0.10, 12.0.12, 12.0.16 - none are available
- Next available versions are in 12.1.x series
- Remove Jetty dependency management to rely on transitive resolution
- Allows build to proceed with Jetty versions from Spark/Hadoop dependencies
- Can revisit with explicit version pinning if CVE concerns arise
- Upgrade from 9.4.53.v20231009 to 12.0.16 (meets requirement >12.0.9)
- Addresses security vulnerabilities in older Jetty versions
- Externalized version to jetty.version property for easier maintenance
- Added jetty-util, jetty-io, jetty-security to dependencyManagement
- Ensures all Jetty transitive dependencies use secure version
- Upgrade from 3.9.3 to 3.9.4 (latest stable)
- Ensures all known security vulnerabilities are patched
- Fixes GHSA-g93m-8x6h-g5gv, GHSA-r978-9m6m-6gm6, GHSA-2hmj-97jw-28jh
- Upgrade from 3.9.1 to 3.9.3
- Fixes GHSA-g93m-8x6h-g5gv: Authentication bypass in Admin Server
- Fixes GHSA-r978-9m6m-6gm6: Information disclosure in persistent watchers
- Fixes GHSA-2hmj-97jw-28jh: Insufficient permission check in snapshot/restore
- Addresses high and moderate severity vulnerabilities
- Set Parquet I/O loggers to OFF (completely disabled)
- Add log4j.configuration system property to ensure config is used
- Override Spark's default log4j configuration
- Prevents thousands of record-level DEBUG messages in CI logs
- Upgrade from 4.1.118.Final to 4.1.124.Final
- Fixes GHSA-prj3-ccx8-p6x4: MadeYouReset HTTP/2 DDoS vulnerability
- 4.1.124.Final is the confirmed patched version per GitHub advisory
- All versions <= 4.1.123.Final are vulnerable
- Upgrade from 4.1.115.Final to 4.1.118.Final
- Fixes CVE-2025-24970: improper validation in SslHandler
- Fixes CVE-2024-47535: unsafe environment file reading on Windows
- Fixes CVE-2024-29025: HttpPostRequestDecoder resource exhaustion
- Addresses GHSA-prj3-ccx8-p6x4 and related vulnerabilities
- Add seaweedfs.hadoop3.client.version property set to 3.80
- Replace hardcoded version with ${seaweedfs.hadoop3.client.version}
- Enables easier version management from single location
- Follows Maven best practices for dependency versioning
- Change compiler plugin source/target from hardcoded 1.8 to use properties
- Ensures consistency with maven.compiler.source/target set to 11
- Prevents version mismatch between properties and plugin configuration
- Aligns with surefire Java 9+ module arguments
- Fix inconsistency between maven.compiler.source/target (1.8) and
surefire JVM args (Java 9+ module flags like --add-opens)
- Update to Java 11 to match CI environment (GitHub Actions uses Java 11)
- Docker environment uses Java 17 which is also compatible
- Java 11+ is required for the --add-opens/--add-exports flags used
in the surefire configuration
chrislu