From 6ca670b22a1f2ed0f3eb2871b8537df36bac83cf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 7 Jul 2026 13:16:58 +0000 Subject: [PATCH 1/3] fix(deps): bump org.apache.hadoop:hadoop-common from 3.4.3 to 3.5.0 Bumps org.apache.hadoop:hadoop-common from 3.4.3 to 3.5.0. --- updated-dependencies: - dependency-name: org.apache.hadoop:hadoop-common dependency-version: 3.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- amber/build.sbt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/amber/build.sbt b/amber/build.sbt index 1a986033b5d..70fc9302779 100644 --- a/amber/build.sbt +++ b/amber/build.sbt @@ -158,7 +158,7 @@ val luceneDependencies = Seq( ///////////////////////////////////////////////////////////////////////////// // Hadoop related -val hadoopVersion = "3.4.3" +val hadoopVersion = "3.5.0" val excludeHadoopJersey = ExclusionRule(organization = "com.sun.jersey") // Hadoop 3.3.2+ ships jersey-json via the com.github.pjfanning fork; its Jersey 1.x // providers break Jersey 2 auto-discovery at startup, so exclude it as well. From 9e3545b6ccb030429b43c5696b66df778f5158a3 Mon Sep 17 00:00:00 2001 From: probe Date: Tue, 7 Jul 2026 16:59:10 -0700 Subject: [PATCH 2/3] fix(deps): keep Jersey at 2.25.1 and sync amber licenses for hadoop-common 3.5.0 Hadoop 3.5.0 switched its web stack from Jersey 1.x (com.sun.jersey) to Jersey 2.46 (org.glassfish.jersey.*), which drops AbstractValueFactoryProvider. SBT's max-version eviction then replaced Dropwizard 1.3.23's Jersey 2.25.1 across the amber classpath (pulled transitively through the direct hadoop-common, workflow-core, and commons-vfs2 -> hadoop-hdfs-client), breaking dropwizard-auth's AuthValueFactoryProvider.Binder in ComputingUnitMaster. Pin the shared Jersey core/containers artifacts back to 2.25.1 in WorkflowExecutionService and drop Hadoop's 2.46-only jersey-hk2 module (jersey-inject did not exist in 2.25.1) so the classpath matches Dropwizard's expectations. Sync amber/LICENSE-binary-java and regenerate amber/NOTICE-binary for the bundled hadoop 3.5.0 jars and the glassfish JAXB runtime hadoop now pulls (jettison is no longer bundled). --- amber/LICENSE-binary-java | 11 ++- amber/NOTICE-binary | 195 ++++++++++++++++++++++++++++++++++++++ build.sbt | 15 ++- 3 files changed, 216 insertions(+), 5 deletions(-) diff --git a/amber/LICENSE-binary-java b/amber/LICENSE-binary-java index e81bd834085..c35852eba59 100644 --- a/amber/LICENSE-binary-java +++ b/amber/LICENSE-binary-java @@ -387,9 +387,9 @@ Scala/Java jars: - org.apache.curator.curator-client-5.2.0.jar - org.apache.curator.curator-framework-5.2.0.jar - org.apache.curator.curator-recipes-5.2.0.jar - - org.apache.hadoop.hadoop-annotations-3.4.3.jar - - org.apache.hadoop.hadoop-auth-3.4.3.jar - - org.apache.hadoop.hadoop-common-3.4.3.jar + - org.apache.hadoop.hadoop-annotations-3.5.0.jar + - org.apache.hadoop.hadoop-auth-3.5.0.jar + - org.apache.hadoop.hadoop-common-3.5.0.jar - org.apache.hadoop.hadoop-hdfs-client-3.4.3.jar - org.apache.hadoop.hadoop-mapreduce-client-core-3.4.3.jar - org.apache.hadoop.hadoop-yarn-api-3.4.3.jar @@ -452,7 +452,6 @@ Scala/Java jars: - org.apache.zookeeper.zookeeper-3.8.4.jar - org.apache.zookeeper.zookeeper-jute-3.8.4.jar - org.bitbucket.b_c.jose4j-0.9.6.jar - - org.codehaus.jettison.jettison-1.5.4.jar - org.eclipse.jetty.jetty-annotations-9.4.18.v20190429.jar - org.eclipse.jetty.jetty-client-9.4.57.v20241219.jar - org.eclipse.jetty.jetty-continuation-9.4.18.v20190429.jar @@ -627,6 +626,7 @@ licensed with GPL-2.0 with Classpath Exception) Scala/Java jars: - jakarta.annotation.jakarta.annotation-api-2.1.1.jar + - jakarta.servlet.jsp.jakarta.servlet.jsp-api-2.3.6.jar - jakarta.ws.rs.jakarta.ws.rs-api-3.0.0.jar - javax.ws.rs.javax.ws.rs-api-2.1.1.jar - org.jgrapht.jgrapht-core-1.4.0.jar @@ -690,9 +690,12 @@ Dependencies under the Eclipse Distribution License, Version 1.0 Scala/Java jars: - com.sun.activation.jakarta.activation-2.0.0.jar + - com.sun.istack.istack-commons-runtime-3.0.12.jar - jakarta.activation.jakarta.activation-api-1.2.1.jar - jakarta.xml.bind.jakarta.xml.bind-api-3.0.0.jar - org.eclipse.jgit.org.eclipse.jgit-5.13.0.202109080827-r.jar + - org.glassfish.jaxb.jaxb-runtime-2.3.9.jar + - org.glassfish.jaxb.txw2-2.3.9.jar -------------------------------------------------------------------------------- Dependencies in the Public Domain (CC0) diff --git a/amber/NOTICE-binary b/amber/NOTICE-binary index 1a5a6256323..590108c7980 100644 --- a/amber/NOTICE-binary +++ b/amber/NOTICE-binary @@ -503,6 +503,201 @@ which can be obtained from https://bitbucket.org/eunjeon/mecab-ko-dic/downloads/mecab-ko-dic-2.0.3-20170922.tar.gz +-------------------------------------------------------------------------------- +com.sun.istack.istack-commons-runtime +-------------------------------------------------------------------------------- + +# Notices for Eclipse Implementation of JAXB + +This content is produced and maintained by the Eclipse Implementation of JAXB +project. + +* Project home: https://projects.eclipse.org/projects/ee4j.jaxb-impl + +## Trademarks + +Eclipse Implementation of JAXB is a trademark of the Eclipse Foundation. + +## Copyright + +All content is the property of the respective authors or their employers. For +more information regarding authorship of content, please consult the listed +source code repository logs. + +## Declared Project Licenses + +This program and the accompanying materials are made available under the terms +of the Eclipse Distribution License v. 1.0 which is available at +http://www.eclipse.org/org/documents/edl-v10.php. + +SPDX-License-Identifier: BSD-3-Clause + +## Source Code + +The project maintains the following source code repositories: + +* https://github.com/eclipse-ee4j/jaxb-ri +* https://github.com/eclipse-ee4j/jaxb-istack-commons +* https://github.com/eclipse-ee4j/jaxb-dtd-parser +* https://github.com/eclipse-ee4j/jaxb-fi +* https://github.com/eclipse-ee4j/jaxb-stax-ex +* https://github.com/eclipse-ee4j/jax-rpc-ri + +## Third-party Content + +This project leverages the following third party content. + +Apache Ant (1.10.2) + +* License: Apache-2.0 AND W3C AND LicenseRef-Public-Domain + +Apache Ant (1.10.2) + +* License: Apache-2.0 AND W3C AND LicenseRef-Public-Domain + +Apache Felix (1.2.0) + +* License: Apache License, 2.0 + +args4j (2.33) + +* License: MIT License + +dom4j (1.6.1) + +* License: Custom license based on Apache 1.1 + +file-management (3.0.0) + +* License: Apache-2.0 +* Project: https://maven.apache.org/shared/file-management/ +* Source: + https://svn.apache.org/viewvc/maven/shared/tags/file-management-3.0.0/ + +JUnit (4.12) + +* License: Eclipse Public License + +JUnit (4.12) + +* License: Eclipse Public License + +maven-compat (3.5.2) + +* License: Apache-2.0 +* Project: https://maven.apache.org/ref/3.5.2/maven-compat/ +* Source: + https://mvnrepository.com/artifact/org.apache.maven/maven-compat/3.5.2 + +maven-core (3.5.2) + +* License: Apache-2.0 +* Project: https://maven.apache.org/ref/3.5.2/maven-core/index.html +* Source: https://mvnrepository.com/artifact/org.apache.maven/maven-core/3.5.2 + +maven-plugin-annotations (3.5) + +* License: Apache-2.0 +* Project: https://maven.apache.org/plugin-tools/maven-plugin-annotations/ +* Source: + https://github.com/apache/maven-plugin-tools/tree/master/maven-plugin-annotations + +maven-plugin-api (3.5.2) + +* License: Apache-2.0 + +maven-resolver-api (1.1.1) + +* License: Apache-2.0 + +maven-resolver-api (1.1.1) + +* License: Apache-2.0 + +maven-resolver-connector-basic (1.1.1) + +* License: Apache-2.0 + +maven-resolver-impl (1.1.1) + +* License: Apache-2.0 + +maven-resolver-spi (1.1.1) + +* License: Apache-2.0 + +maven-resolver-transport-file (1.1.1) + +* License: Apache-2.0 +* Project: https://maven.apache.org/resolver/maven-resolver-transport-file/ +* Source: + https://github.com/apache/maven-resolver/tree/master/maven-resolver-transport-file + +maven-resolver-util (1.1.1) + +* License: Apache-2.0 + +maven-settings (3.5.2) + +* License: Apache-2.0 +* Source: + https://mvnrepository.com/artifact/org.apache.maven/maven-settings/3.5.2 + +OSGi Service Platform Core Companion Code (6.0) + +* License: Apache License, 2.0 + +plexus-archiver (3.5) + +* License: Apache-2.0 +* Project: https://codehaus-plexus.github.io/plexus-archiver/ +* Source: https://github.com/codehaus-plexus/plexus-archiver + +plexus-io (3.0.0) + +* License: Apache-2.0 + +plexus-utils (3.1.0) + +* License: Apache- 2.0 or Apache- 1.1 or BSD or Public Domain or Indiana + University Extreme! Lab Software License V1.1.1 (Apache 1.1 style) + +relaxng-datatype (1.0) + +* License: New BSD license + +Sax (0.2) + +* License: SAX-PD +* Project: http://www.megginson.com/downloads/SAX/ +* Source: http://sourceforge.net/project/showfiles.php?group_id=29449 + +testng (6.14.2) + +* License: Apache-2.0 AND (MIT OR GPL-1.0+) +* Project: https://testng.org/doc/index.html +* Source: https://github.com/cbeust/testng + +wagon-http-lightweight (3.0.0) + +* License: Pending +* Project: https://maven.apache.org/wagon/ +* Source: + https://mvnrepository.com/artifact/org.apache.maven.wagon/wagon-http-lightweight/3.0.0 + +xz for java (1.8) + +* License: LicenseRef-Public-Domain + +## Cryptography + +Content may contain encryption software. The country in which you are currently +may have restrictions on the import, possession, and use, and/or re-export to +another country, of encryption software. BEFORE using any encryption software, +please check the country's laws, regulations and policies concerning the import, +possession, or use, and re-export of encryption software, to see if this is +permitted. + -------------------------------------------------------------------------------- org.apache.lucene -------------------------------------------------------------------------------- diff --git a/build.sbt b/build.sbt index da0dca85a6e..965fcceb6ce 100644 --- a/build.sbt +++ b/build.sbt @@ -207,8 +207,21 @@ lazy val WorkflowExecutionService = (project in file("amber")) "org.slf4j" % "slf4j-api" % "1.7.26", "org.eclipse.jetty" % "jetty-server" % "9.4.20.v20190813", "org.eclipse.jetty" % "jetty-servlet" % "9.4.20.v20190813", - "org.eclipse.jetty" % "jetty-http" % "9.4.20.v20190813" + "org.eclipse.jetty" % "jetty-http" % "9.4.20.v20190813", + // Hadoop 3.5.0 moved its web stack to Jersey 2.46, which drops + // AbstractValueFactoryProvider. Left alone, SBT's max-version eviction replaces + // Dropwizard 1.3.23's Jersey 2.25.1 (pulled transitively through many hadoop paths: + // the direct hadoop-common, workflow-core, and commons-vfs2 -> hadoop-hdfs-client) + // and breaks dropwizard-auth's AuthValueFactoryProvider.Binder. Pin the shared Jersey + // stack back to 2.25.1 and drop Hadoop's 2.46-only jersey-hk2 module (jersey-inject + // did not exist in 2.25.1) so the classpath matches what dropwizard-auth expects. + "org.glassfish.jersey.core" % "jersey-server" % "2.25.1", + "org.glassfish.jersey.core" % "jersey-common" % "2.25.1", + "org.glassfish.jersey.core" % "jersey-client" % "2.25.1", + "org.glassfish.jersey.containers" % "jersey-container-servlet" % "2.25.1", + "org.glassfish.jersey.containers" % "jersey-container-servlet-core" % "2.25.1" ) ++ nettyDependencyOverrides, + excludeDependencies += ExclusionRule("org.glassfish.jersey.inject", "jersey-hk2"), libraryDependencies ++= Seq( "com.squareup.okhttp3" % "okhttp" % "4.10.0" force () // Force usage of OkHttp 4.10.0 ) From 6ef6eeea679879a501d414e464e429e236efc807 Mon Sep 17 00:00:00 2001 From: probe Date: Thu, 9 Jul 2026 17:54:14 -0700 Subject: [PATCH 3/3] docs(deps): clarify the hadoop web-stack exclusion comments Reword the amber and workflow-core exclusion comments so the Dropwizard/Jersey rationale is module-scoped: amber runs the old Dropwizard 1.3.23 (Jersey 2.25.1) server that needs AbstractValueFactoryProvider, while workflow-core is a library and only references that downstream consumer. No functional change. --- amber/build.sbt | 10 ++++++---- common/workflow-core/build.sbt | 7 ++++--- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/amber/build.sbt b/amber/build.sbt index 881fd019cc5..8d2ac747af7 100644 --- a/amber/build.sbt +++ b/amber/build.sbt @@ -164,10 +164,12 @@ val excludeHadoopJersey = ExclusionRule(organization = "com.sun.jersey") // providers break Jersey 2 auto-discovery at startup, so exclude it as well. val excludeHadoopJerseyJsonFork = ExclusionRule(organization = "com.github.pjfanning", name = "jersey-json") // Hadoop 3.5.0 moved its web stack to Jersey 2.x (org.glassfish.jersey.{core,containers, -// inject}) plus the glassfish JAXB runtime, istack-commons, and the Jakarta JSP API. Left -// in, Jersey 2.46 would evict Dropwizard 1.3.23's Jersey 2.25.1 (dropping the -// AbstractValueFactoryProvider that dropwizard-auth needs). Texera uses hadoop only as a -// filesystem client, so exclude the whole servlet/JAX-RS/JAXB web stack. +// inject}) plus the glassfish JAXB runtime, istack-commons, and the Jakarta JSP API. This +// service runs on Dropwizard 1.3.23 (see dropwizardVersion above), whose Jersey 2.25.1 +// provides the AbstractValueFactoryProvider that dropwizard-auth binds against; letting +// Hadoop's newer Jersey 2.x win the sbt eviction drops that class and breaks auth wiring. +// Texera uses hadoop only as a filesystem client, so exclude the whole servlet/JAX-RS/JAXB +// web stack instead. val excludeHadoopJersey2Stack = Seq( ExclusionRule(organization = "org.glassfish.jersey.core"), ExclusionRule(organization = "org.glassfish.jersey.containers"), diff --git a/common/workflow-core/build.sbt b/common/workflow-core/build.sbt index bec5e636e89..11ec0b76e5e 100644 --- a/common/workflow-core/build.sbt +++ b/common/workflow-core/build.sbt @@ -164,9 +164,10 @@ val excludeJerseyJsonFork = ExclusionRule(organization = "com.github.pjfanning", // (org.glassfish.jersey.{core,containers,inject}) plus the glassfish JAXB runtime, // istack-commons, and the Jakarta JSP API. ExclusionRule matches the organization string // exactly, so a bare "org.glassfish.jersey" rule matches none of the real artifacts. -// Texera uses hadoop only as a filesystem client, so none of this servlet/JAX-RS/JAXB -// web stack is needed; excluding it keeps Dropwizard's Jersey 2.25.1 from being evicted -// and keeps these jars out of every service dist. +// Texera uses hadoop only as a filesystem client, so none of this servlet/JAX-RS/JAXB web +// stack is needed. Excluding it here keeps those jars out of every downstream service dist +// and, for services still on a Jersey 2.x server stack (amber), avoids evicting the Jersey +// their auth wiring depends on. val excludeHadoopJersey2Stack = Seq( ExclusionRule(organization = "org.glassfish.jersey.core"), ExclusionRule(organization = "org.glassfish.jersey.containers"),