Update Ameria to 1.34.1#6343
Conversation
KarstenSchnitter
left a comment
KarstenSchnitter
left a comment
There was a problem hiding this comment.
@dlvenable and @kkondaka we need your input on the dependency upgrade. Apparently we need a newer netty version. What do you think about the AWS SDK, that currently uses an older version?
| } else if (!details.requested.name.startsWith('netty-tcnative')) { | ||
| details.useVersion '4.1.125.Final' | ||
| details.because 'Fixes CVE-2025-58057, CVE-2025-58056, CVE-2025-55163, CVE-2025-24970, CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.' | ||
| details.useVersion '4.2.7.Final' |
There was a problem hiding this comment.
netty dependencies are also contained in the AWS SDK. The currently used version in Data Prepper uses netty 4.1.118.Final. I am not sure what the latest SDK versions use.
There was a problem hiding this comment.
I normally run this command to see what the different projects are using:
./gradlew -p data-prepper-core dependencies > deps.core.out
It looks like there are a few possible issues with migrating:
https://netty.io/wiki/netty-4.2-migration-guide.html
It states this:
It is important to ensure that all the components of your system is using the same Netty version, and are all configuring endpoint validation correctly. First off, this avoids any surprises from older client libraries that configure endpoint validation incorrectly, and may as a result stop working after a Netty 4.2 upgrade. Secondly, Netty 4.1 and 4.2 cannot co-exist on the class path, so you need to ensure you do the upgrade in a single step.
So we should check all the dependencies that use Netty to see if they have migrated to 4.2.
There was a problem hiding this comment.
@dlvenable Thanks for the pointers!
Regarding the (forced) netty version update from 4.1.118.Final to 4.2.7.Final:
I checked the dependencies and saw that the current versions of the awssdk and hadoop are still using netty 4.1.x:
- software.amazon.awssdk:netty-nio-client => 4.1.118.Final
- org.apache.hadoop:hadoop-common:3.4.0 => 4.1.100.Final
- org.apache.hadoop:hadoop-mapreduce-client-core:3.4.0 => 4.1.100.Final
Note that hadoop isn't even compatible with the current netty version 4.1.118.Final (but only the patch version).
I updated them to the latest version (awssdk 2.30.23 -> 2.41.5; hadoop 3.4.0 -> 3.4.2) and could reduce the version gap to netty 4.2.7.Final a little bit:
- software.amazon.awssdk:netty-nio-client => 4.1.130.Final
- org.apache.hadoop:hadoop-common => 4.1.118.Final
- org.apache.hadoop:hadoop-mapreduce-client-core => 4.1.118.Final
My question is if we should still proceed with the current state of the PR and test it thoroughly, since the awssdk might not have officially validated netty 4.2 or if we should wait until both libraries officially support the netty version.
dlvenable
left a comment
dlvenable
left a comment
There was a problem hiding this comment.
Thanks @JannikBrand for this contribution! This could have compatibility issues unless we get all of our Netty dependencies updated as well. I left some instructions that might help.
| } else if (!details.requested.name.startsWith('netty-tcnative')) { | ||
| details.useVersion '4.1.125.Final' | ||
| details.because 'Fixes CVE-2025-58057, CVE-2025-58056, CVE-2025-55163, CVE-2025-24970, CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.' | ||
| details.useVersion '4.2.7.Final' |
There was a problem hiding this comment.
I normally run this command to see what the different projects are using:
./gradlew -p data-prepper-core dependencies > deps.core.out
It looks like there are a few possible issues with migrating:
https://netty.io/wiki/netty-4.2-migration-guide.html
It states this:
It is important to ensure that all the components of your system is using the same Netty version, and are all configuring endpoint validation correctly. First off, this avoids any surprises from older client libraries that configure endpoint validation incorrectly, and may as a result stop working after a Netty 4.2 upgrade. Secondly, Netty 4.1 and 4.2 cannot co-exist on the class path, so you need to ensure you do the upgrade in a single step.
So we should check all the dependencies that use Netty to see if they have migrated to 4.2.
JannikBrand
force-pushed
the
6271-armeria-fix
branch
from
3a23f06 to
84b0359
Compare
JannikBrand
force-pushed
the
6271-armeria-fix
branch
from
84b0359 to
8cd7a74
Compare
|
Also found this netty 4.2 migration guide: https://netty.io/wiki/netty-4.2-migration-guide.html |
JannikBrand
force-pushed
the
6271-armeria-fix
branch
from
8cd7a74 to
bde6337
Compare
|
Found that there is an open PR for the awssdk to upgrade netty to the wanted minor version: |
JannikBrand
force-pushed
the
6271-armeria-fix
branch
from
bde6337 to
112d7ef
Compare
Fixes opensearch-project#6271 since the current Ameria version is affected by a couple of bugs (see comment opensearch-project#6271 (comment)). To support the ameria update update Netty to 4.2.7. Furthermore, the new armeria version brings in Micrometer 1.16.0 as transitive dependency, which deprecates the io.micrometer.core.lang annotations - see release notes: https://github.com/micrometer-metrics/micrometer/releases/tag/v1.16.0. Signed-off-by: Jannik Brand <[email protected]>
Signed-off-by: Jannik Brand <[email protected]>
JannikBrand
force-pushed
the
6271-armeria-fix
branch
from
112d7ef to
c4c1d21
Compare
Signed-off-by: Jannik Brand <[email protected]>
3 participants
Description
Update Ameria to 1.34.2.
The current Ameria version is affected by a couple of bugs (see comment #6271 (comment)).
To support the ameria update update Netty to 4.2.7.
Furthermore, the new armeria version brings in Micrometer 1.16.0 as transitive dependency, which deprecates the io.micrometer.core.lang annotations - see release notes:
https://github.com/micrometer-metrics/micrometer/releases/tag/v1.16.0.
Issues Resolved
Resolves #6271
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.