Skip to content

branch-4.0: [chore](dep)upgrade dependencies(#62858, #64196, #64208)#65065

Open
CalvinKirs wants to merge 3 commits into
apache:branch-4.0from
CalvinKirs:branch-4.0-dep-june
Open

branch-4.0: [chore](dep)upgrade dependencies(#62858, #64196, #64208)#65065
CalvinKirs wants to merge 3 commits into
apache:branch-4.0from
CalvinKirs:branch-4.0-dep-june

Conversation

@CalvinKirs

Copy link
Copy Markdown
Member

address dependency check findings

(cherry picked from commit 0136aa5)
commons-lang 2.x is not referenced by any fe source code. It was only
declared in java-common and preload-extensions (bundled into the BE
java-extensions runtime classpath via the assembly) without being used.

- drop the commons-lang dependencyManagement entry and version property
from fe/pom.xml
- drop the unused direct dependency from java-common and
preload-extensions
- migrate the only affected usage (regression-test StringTest UDF) from
org.apache.commons.lang.StringUtils to
org.apache.commons.lang3.StringUtils

**Note: this removes commons-lang 2.x from the BE Java UDF runtime
classpath; legacy user UDFs importing org.apache.commons.lang.* must
migrate to lang3.**

(cherry picked from commit 8e19a41)
## Summary

Upgrade FE dependency versions for dependency scan findings:

- Exclude transitive dependencies from `hive-exec` in `fe/hive-udf`:
  - `org.apache.calcite:calcite-core`
  - `org.apache.calcite:calcite-druid`
  - `log4j:log4j`
- Upgrade Netty managed version from `4.1.132.Final` to `4.2.15.Final`,
covering Netty BOM-managed jars such as `netty-codec-memcache`,
`netty-codec-mqtt`, and `netty-transport`.
- Upgrade Azure SDK BOM from `1.3.4` to `1.3.7`, updating:
  - `azure-storage-blob` `12.33.1` -> `12.34.0`
  - `azure-core` `1.57.1` -> `1.58.0`
  - `azure-core-http-netty` `1.16.3` -> `1.16.4`
  - `azure-storage-common` `12.32.1` -> `12.33.0`
  - `azure-storage-internal-avro` `12.18.1` -> `12.19.0`
  - `azure-identity` `1.18.2` -> `1.18.3`
- Override Azure transitive dependencies:
  - `msal4j` `1.23.1` -> `1.25.0`
  - `azure-keyvault-core` `1.0.0` -> `1.2.6`
- Manage `commons-net:commons-net` to `3.13.0`, replacing older
transitive resolutions such as `3.6` from the Hive/Hadoop path and
`3.9.0` from Hadoop common.

(cherry picked from commit 4612983)
@CalvinKirs CalvinKirs requested a review from morningman as a code owner July 1, 2026 03:39
@hello-stephen

Copy link
Copy Markdown
Contributor

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@CalvinKirs CalvinKirs changed the title branch-4.0: cherry-pick dependency PRs (#62858, #64196, #64208) branch-4.0: [chore](dep)upgrade dependencies(#62858, #64196, #64208) Jul 1, 2026
@CalvinKirs

Copy link
Copy Markdown
Member Author

run buildall

@hello-stephen

Copy link
Copy Markdown
Contributor

FE UT Coverage Report

Increment line coverage `` 🎉
Increment coverage report
Complete coverage report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants