[NO-SNOW] Exclude vulnerable transitive deps from snowflake-jdbc-thin#1148
Merged
sfc-gh-ggeng merged 4 commits intomasterfrom Apr 14, 2026
Merged
[NO-SNOW] Exclude vulnerable transitive deps from snowflake-jdbc-thin#1148sfc-gh-ggeng merged 4 commits intomasterfrom
sfc-gh-ggeng merged 4 commits intomasterfrom
Conversation
- Add hamcrest-core:1.3 as explicit test dependency (used by ported tests: RestRequestTest, JdbcHttpUtilTest, SnowflakeConnectStringTest, SecretDetectorTest) - Exclude vulnerable transitive deps from snowflake-jdbc-thin in both main pom and e2e-jar-test pom: - grpc-netty-shaded (CVE-2025-55163, CVSS 8.7) - commons-lang3 (CVE-2025-48924, CVSS 8.8) - javax.servlet-api (license: CDDL-1.1/GPL-2.0) - javax.annotation-api (license: CDDL-1.1/GPL-2.0) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
sfc-gh-alhuang
approved these changes
Apr 13, 2026
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Exclude vulnerable transitive dependencies pulled in by
snowflake-jdbc-thin(test scope) and addhamcrest-coreas an explicit test dependency.Security fixes
Exclude from
snowflake-jdbc-thinin both mainpom.xmlande2e-jar-test/pom.xml:io.grpc:grpc-netty-shadedorg.apache.commons:commons-lang3javax.servlet:javax.servlet-apijavax.annotation:javax.annotation-apiThe ingest SDK already declares safe versions of
grpc(1.77.0) andcommons-lang3(3.18.0) directly.javax.servlet-apiandjavax.annotation-apiwere already excluded in the main pom but not in the e2e-jar-test pom.Test dependency
org.hamcrest:hamcrest-core:1.3as explicit test dependency (used by ported JDBC tests in [SNOW-3249917] Port 25 missing JDBC unit tests for replicated classes #1147)Test plan
mvn compiler:compilepasses🤖 Generated with Claude Code