[Snyk] Fix for 29 vulnerabilities

[snyk-io]

Snyk has created this PR to fix 29 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• pom.xml

---

This analysis focuses on the potential breaking changes for the specified package upgrades.

Breaking Change Assessment: High

This set of upgrades introduces significant changes, particularly within the Apache Hudi and Apache Parquet dependencies. The upgrade from hudi-common 1.0.0-SNAPSHOT to 1.1.0 is a major evolution, and the parquet-avro update spans multiple minor versions with notable modifications.

• org.apache.hudi:hudi-common @ 1.0.0-SNAPSHOT → 1.1.0 (High Risk): This upgrade moves from a development snapshot to a new minor version, introducing substantial changes. The Hudi 1.1.0 release plans to deprecate existing Payload classes in favor of standardized built-in merge modes, which will require code modifications for custom merging logic. Additionally, official support for Spark 4 will default to Java 17, potentially impacting environments on older JDKs. The release also removes the direct dependency on HBase by introducing a native HFile writer.
  Recommendation: Developers must review their use of custom Payload classes and migrate to the new built-in merge modes. Validate the application's compatibility with the new HFile format and prepare for a potential JDK upgrade if using Spark 4.

• org.apache.parquet:parquet-avro @ 1.13.1 → 1.15.2 (Medium Risk): This upgrade crosses two minor versions. A key change introduced to address a security vulnerability (CVE-2025-46762) is the restriction of trusted packages for schema resolution when using "specific" or "reflect" data models. If your application relies on these models for Avro schema conversion, you may need to explicitly configure which packages are considered trusted.
  Recommendation: Review code that uses parquet-avro with "specific" or "reflect" models and test schema resolution. If needed, configure the org.apache.parquet.avro.trusted.packages system property.

• org.apache.avro:avro @ 1.11.2 → 1.11.4 (Low Risk): This is a patch-level update consisting primarily of bug fixes. Version 1.11.4 introduces a change to restrict trusted packages in ReflectData and SpecificData for security purposes. This is unlikely to affect most users but could be a breaking change for applications using reflection with classes from untrusted packages.
  Recommendation: Merge and test. The risk of functional breakage is low unless advanced reflection features are in use.

Additional Upgrades

• org.apache.hudi:hudi-datahub-sync @ 1.0.0-SNAPSHOT → 1.0.1 (Medium Risk): Moving from a snapshot to a stable patch release reduces instability. Version 1.0.1 is intended as a bug-fix release to harden the major changes introduced in 1.0. The risk is primarily associated with the unstable nature of the starting SNAPSHOT version.

Notice 🤖: This content was generated using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

---

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Deserialization of Untrusted Data SNYK-JAVA-ORGAPACHEPARQUET-9638681	548	org.apache.parquet:parquet-avro: 1.13.1 -> 1.15.2 Reachable Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-ORGAPACHEAVRO-8161188	311	org.apache.avro:avro: 1.11.2 -> 1.11.4 Reachable No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-ORGXERIALSNAPPY-5710960	265	org.apache.parquet:parquet-avro: 1.13.1 -> 1.15.2 Reachable Proof of Concept
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-ORGXERIALSNAPPY-5918282	264	org.apache.parquet:parquet-avro: 1.13.1 -> 1.15.2 Reachable Proof of Concept
	Integer Overflow or Wraparound SNYK-JAVA-ORGXERIALSNAPPY-5710961	243	org.apache.parquet:parquet-avro: 1.13.1 -> 1.15.2 Reachable Proof of Concept
	Authorization Bypass Through User-Controlled Key SNYK-JAVA-ORGAPACHEZOOKEEPER-5961102	164	No Path Found No Known Exploit
	External Control of File Name or Path SNYK-JAVA-ORGAPACHEPARQUET-10060156	156	org.apache.parquet:parquet-avro: 1.13.1 -> 1.15.2 No Path Found No Known Exploit
	Integer Overflow or Wraparound SNYK-JAVA-ORGXERIALSNAPPY-5710959	147	org.apache.parquet:parquet-avro: 1.13.1 -> 1.15.2 No Path Found Proof of Concept
	Uncontrolled Recursion SNYK-JAVA-ORGAPACHECOMMONS-10734078	145	No Path Found No Known Exploit
	Uncontrolled Memory Allocation SNYK-JAVA-IONETTY-564897	137	No Path Found No Known Exploit
	Improper Validation of Specified Quantity in Input SNYK-JAVA-IONETTY-8707740	130	No Path Found Proof of Concept
	Denial of Service (DoS) SNYK-JAVA-IONETTY-8367012	120	No Path Found Proof of Concept
	Infinite loop SNYK-JAVA-ORGAPACHECOMMONS-6254296	120	org.apache.avro:avro: 1.11.2 -> 1.11.4 No Path Found No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-IONETTY-1584063	115	No Path Found No Known Exploit
	Stack-based Buffer Overflow SNYK-JAVA-COMGOOGLEPROTOBUF-8055227	114	No Path Found No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-IONETTY-1584064	114	No Path Found No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-IONETTY-5725787	105	No Path Found No Known Exploit
	Improper Input Validation SNYK-JAVA-ORGAPACHECOMMONS-5901530	100	org.apache.avro:avro: 1.11.2 -> 1.11.4 No Path Found No Known Exploit
	Information Disclosure SNYK-JAVA-IONETTY-1082234	85	No Path Found No Known Exploit
	Information Disclosure SNYK-JAVA-IONETTY-1082235	85	No Path Found No Known Exploit
	Information Disclosure SNYK-JAVA-IONETTY-1082236	85	No Path Found No Known Exploit
	Information Disclosure SNYK-JAVA-IONETTY-1082238	85	No Path Found No Known Exploit
	Directory Traversal SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-31517	76	Reachable No Known Exploit
	Information Exposure SNYK-JAVA-IONETTY-2812456	75	No Path Found No Known Exploit
	Information Exposure SNYK-JAVA-COMMONSCODEC-561518	67	Reachable No Known Exploit
	Improper Input Validation SNYK-JAVA-ORGAPACHEAVRO-5926693	53	org.apache.avro:avro: 1.11.2 -> 1.11.4 No Path Found No Known Exploit
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JAVA-COMMONSIO-8161190	45	No Path Found No Known Exploit
	Improper Input Validation SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-1048058	45	No Path Found No Known Exploit
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-ORGAPACHECOMMONS-6254297	35	org.apache.avro:avro: 1.11.2 -> 1.11.4 No Path Found No Known Exploit

Vulnerabilities that could not be fixed

• Upgrade:
  • Could not upgrade org.apache.hudi:hudi-common@1.0.0-SNAPSHOT to org.apache.hudi:hudi-common@1.1.0; Reason could not apply upgrade, dependency is managed externally ; Location: provenance does not contain location
• Could not upgrade org.apache.hudi:hudi-datahub-sync@1.0.0-SNAPSHOT to org.apache.hudi:hudi-datahub-sync@1.0.1; Reason could not apply upgrade, dependency is managed externally ; Location: provenance does not contain location

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Uncontrolled Resource Consumption ('Resource Exhaustion')
🦉 Information Disclosure
🦉 Improper Input Validation
🦉 More lessons are available in Snyk Learn

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.