From bce0f4190aa198cb39c3e4bcdc2369891189e0de Mon Sep 17 00:00:00 2001
From: Smith Cruise <chendingchao1@126.com>
Date: Wed, 31 Jul 2024 19:01:31 +0800
Subject: [PATCH 1/6] Fix cve problems in paimon-bundle

Signed-off-by: Smith Cruise <chendingchao1@126.com>
---
 paimon-common/pom.xml | 8 ++++++++
 paimon-format/pom.xml | 6 ++++++
 pom.xml               | 3 ++-
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/paimon-common/pom.xml b/paimon-common/pom.xml
index 78183158ded7..bbe14e26cfaa 100644
--- a/paimon-common/pom.xml
+++ b/paimon-common/pom.xml
@@ -57,6 +57,14 @@ under the License.
             <version>${airlift.version}</version>
         </dependency>
 
+        <!-- From paimon-format -->
+        <!-- From org.apache.avro -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>${commons-compress.version}</version>
+        </dependency>
+
         <!-- From paimon-bundle -->
         <dependency>
             <groupId>org.lz4</groupId>
diff --git a/paimon-format/pom.xml b/paimon-format/pom.xml
index 57467f8513e7..5b472b95bb9f 100644
--- a/paimon-format/pom.xml
+++ b/paimon-format/pom.xml
@@ -158,6 +158,12 @@ under the License.
             <groupId>org.apache.avro</groupId>
             <artifactId>avro</artifactId>
             <version>${avro.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-compress</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
 
         <dependency>
diff --git a/pom.xml b/pom.xml
index 75a7cd098a95..fa2922e54bee 100644
--- a/pom.xml
+++ b/pom.xml
@@ -82,7 +82,8 @@ under the License.
         <scala.version>2.12.15</scala.version>
         <scala.binary.version>2.12</scala.binary.version>
         <snappy.version>1.1.8.3</snappy.version>
-        <airlift.version>0.21</airlift.version>
+        <airlift.version>0.27</airlift.version>
+        <commons-compress.version>1.26.2</commons-compress.version>
         <lz4.version>1.8.0</lz4.version>
         <slf4j.version>1.7.32</slf4j.version>
         <log4j.version>2.17.1</log4j.version>

From 01190fd881389274d14d0684adaaccb4f2b4191a Mon Sep 17 00:00:00 2001
From: Smith Cruise <chendingchao1@126.com>
Date: Wed, 31 Jul 2024 22:12:24 +0800
Subject: [PATCH 2/6] change

Signed-off-by: Smith Cruise <chendingchao1@126.com>
---
 paimon-common/pom.xml | 8 --------
 paimon-format/pom.xml | 8 ++++++++
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/paimon-common/pom.xml b/paimon-common/pom.xml
index bbe14e26cfaa..78183158ded7 100644
--- a/paimon-common/pom.xml
+++ b/paimon-common/pom.xml
@@ -57,14 +57,6 @@ under the License.
             <version>${airlift.version}</version>
         </dependency>
 
-        <!-- From paimon-format -->
-        <!-- From org.apache.avro -->
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-compress</artifactId>
-            <version>${commons-compress.version}</version>
-        </dependency>
-
         <!-- From paimon-bundle -->
         <dependency>
             <groupId>org.lz4</groupId>
diff --git a/paimon-format/pom.xml b/paimon-format/pom.xml
index 5b472b95bb9f..8b4f1c1ae590 100644
--- a/paimon-format/pom.xml
+++ b/paimon-format/pom.xml
@@ -166,6 +166,14 @@ under the License.
             </exclusions>
         </dependency>
 
+        <!-- Fix cve problem -->
+        <!-- From org.apache.avro -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>${commons-compress.version}</version>
+        </dependency>
+
         <dependency>
             <groupId>joda-time</groupId>
             <artifactId>joda-time</artifactId>

From d022aa2b5946bd11590e0e2180cb2859df4bc0e4 Mon Sep 17 00:00:00 2001
From: Smith Cruise <chendingchao1@126.com>
Date: Sun, 11 Aug 2024 15:26:26 +0800
Subject: [PATCH 3/6] update notice

Signed-off-by: Smith Cruise <chendingchao1@126.com>
---
 paimon-format/src/main/resources/META-INF/NOTICE | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/paimon-format/src/main/resources/META-INF/NOTICE b/paimon-format/src/main/resources/META-INF/NOTICE
index 1b1a0a0b2cfa..976ca88a6871 100644
--- a/paimon-format/src/main/resources/META-INF/NOTICE
+++ b/paimon-format/src/main/resources/META-INF/NOTICE
@@ -9,7 +9,7 @@ This project bundles the following dependencies under the Apache Software Licens
 - org.apache.orc:orc-core:1.9.2
 - org.apache.orc:orc-shims:1.9.2
 - org.apache.hive:hive-storage-api:2.8.1
-- io.airlift:aircompressor:0.21
+- io.airlift:aircompressor:0.27
 - commons-lang:commons-lang:2.6
 - org.apache.commons:commons-lang3:3.12.0
 
@@ -17,7 +17,7 @@ This project bundles the following dependencies under the Apache Software Licens
 - com.fasterxml.jackson.core:jackson-core:2.14.2
 - com.fasterxml.jackson.core:jackson-databind:2.14.2
 - com.fasterxml.jackson.core:jackson-annotations:2.14.2
-- org.apache.commons:commons-compress:1.22
+- org.apache.commons:commons-compress:1.26.2
 
 - org.apache.parquet:parquet-hadoop:1.13.1
 - org.apache.parquet:parquet-column:1.13.1

From c5754f7c7f644ddf7e42ccef6fa519f53c7a945e Mon Sep 17 00:00:00 2001
From: Smith Cruise <chendingchao1@126.com>
Date: Sun, 11 Aug 2024 15:53:59 +0800
Subject: [PATCH 4/6] update notice

Signed-off-by: Smith Cruise <chendingchao1@126.com>
---
 paimon-format/pom.xml                            | 14 --------------
 paimon-format/src/main/resources/META-INF/NOTICE |  2 +-
 pom.xml                                          |  2 +-
 3 files changed, 2 insertions(+), 16 deletions(-)

diff --git a/paimon-format/pom.xml b/paimon-format/pom.xml
index 8b4f1c1ae590..57467f8513e7 100644
--- a/paimon-format/pom.xml
+++ b/paimon-format/pom.xml
@@ -158,20 +158,6 @@ under the License.
             <groupId>org.apache.avro</groupId>
             <artifactId>avro</artifactId>
             <version>${avro.version}</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.apache.commons</groupId>
-                    <artifactId>commons-compress</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-
-        <!-- Fix cve problem -->
-        <!-- From org.apache.avro -->
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-compress</artifactId>
-            <version>${commons-compress.version}</version>
         </dependency>
 
         <dependency>
diff --git a/paimon-format/src/main/resources/META-INF/NOTICE b/paimon-format/src/main/resources/META-INF/NOTICE
index 976ca88a6871..e58ec1c0fcd7 100644
--- a/paimon-format/src/main/resources/META-INF/NOTICE
+++ b/paimon-format/src/main/resources/META-INF/NOTICE
@@ -13,7 +13,7 @@ This project bundles the following dependencies under the Apache Software Licens
 - commons-lang:commons-lang:2.6
 - org.apache.commons:commons-lang3:3.12.0
 
-- org.apache.avro:avro:1.11.3
+- org.apache.avro:avro:1.12.0
 - com.fasterxml.jackson.core:jackson-core:2.14.2
 - com.fasterxml.jackson.core:jackson-databind:2.14.2
 - com.fasterxml.jackson.core:jackson-annotations:2.14.2
diff --git a/pom.xml b/pom.xml
index fa2922e54bee..7de823495c50 100644
--- a/pom.xml
+++ b/pom.xml
@@ -112,7 +112,7 @@ under the License.
         <jaxb.api.version>2.3.1</jaxb.api.version>
         <findbugs.version>1.3.9</findbugs.version>
         <json-smart.version>2.4.9</json-smart.version>
-        <avro.version>1.11.3</avro.version>
+        <avro.version>1.12.0</avro.version>
         <kafka.version>3.2.3</kafka.version>
         <scala-maven-plugin.version>3.2.2</scala-maven-plugin.version>
         <scalatest-maven-plugin.version>2.1.0</scalatest-maven-plugin.version>

From 1351791699db3a5e8c3865d7bf66a87fe18e9fdc Mon Sep 17 00:00:00 2001
From: Smith Cruise <chendingchao1@126.com>
Date: Sun, 11 Aug 2024 15:59:36 +0800
Subject: [PATCH 5/6] update notice

Signed-off-by: Smith Cruise <chendingchao1@126.com>
---
 paimon-format/src/main/resources/META-INF/NOTICE | 4 ++--
 pom.xml                                          | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/paimon-format/src/main/resources/META-INF/NOTICE b/paimon-format/src/main/resources/META-INF/NOTICE
index e58ec1c0fcd7..44e3ca97a904 100644
--- a/paimon-format/src/main/resources/META-INF/NOTICE
+++ b/paimon-format/src/main/resources/META-INF/NOTICE
@@ -13,11 +13,11 @@ This project bundles the following dependencies under the Apache Software Licens
 - commons-lang:commons-lang:2.6
 - org.apache.commons:commons-lang3:3.12.0
 
-- org.apache.avro:avro:1.12.0
+- org.apache.avro:avro:1.11.3
 - com.fasterxml.jackson.core:jackson-core:2.14.2
 - com.fasterxml.jackson.core:jackson-databind:2.14.2
 - com.fasterxml.jackson.core:jackson-annotations:2.14.2
-- org.apache.commons:commons-compress:1.26.2
+- org.apache.commons:commons-compress:1.22
 
 - org.apache.parquet:parquet-hadoop:1.13.1
 - org.apache.parquet:parquet-column:1.13.1
diff --git a/pom.xml b/pom.xml
index 7de823495c50..fa2922e54bee 100644
--- a/pom.xml
+++ b/pom.xml
@@ -112,7 +112,7 @@ under the License.
         <jaxb.api.version>2.3.1</jaxb.api.version>
         <findbugs.version>1.3.9</findbugs.version>
         <json-smart.version>2.4.9</json-smart.version>
-        <avro.version>1.12.0</avro.version>
+        <avro.version>1.11.3</avro.version>
         <kafka.version>3.2.3</kafka.version>
         <scala-maven-plugin.version>3.2.2</scala-maven-plugin.version>
         <scalatest-maven-plugin.version>2.1.0</scalatest-maven-plugin.version>

From 60ec288bc9ba114e683fc4e7555404d528b004c4 Mon Sep 17 00:00:00 2001
From: Smith Cruise <chendingchao1@126.com>
Date: Sun, 11 Aug 2024 16:00:01 +0800
Subject: [PATCH 6/6] update notice

Signed-off-by: Smith Cruise <chendingchao1@126.com>
---
 pom.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index fa2922e54bee..409235af1e25 100644
--- a/pom.xml
+++ b/pom.xml
@@ -83,7 +83,6 @@ under the License.
         <scala.binary.version>2.12</scala.binary.version>
         <snappy.version>1.1.8.3</snappy.version>
         <airlift.version>0.27</airlift.version>
-        <commons-compress.version>1.26.2</commons-compress.version>
         <lz4.version>1.8.0</lz4.version>
         <slf4j.version>1.7.32</slf4j.version>
         <log4j.version>2.17.1</log4j.version>