From e7ba42524395296830356a0903284c6f221b4f71 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicol=C3=B2=20Martini?= <nicolo@martini.io>
Date: Wed, 11 Oct 2023 11:43:12 +0200
Subject: [PATCH] Bump AVRO version and remove NETTY (#57)

* Bump avro version to address vulnerability CVE-2023-39410

* Remove netty deps
---
 project/Dependencies.scala | 28 +++-------------------------
 1 file changed, 3 insertions(+), 25 deletions(-)

diff --git a/project/Dependencies.scala b/project/Dependencies.scala
index 28d69a1..7c8887c 100644
--- a/project/Dependencies.scala
+++ b/project/Dependencies.scala
@@ -1,7 +1,6 @@
 import Dependencies.Versions.jacksonDatabindVersion
 import Dependencies.Versions.jacksonVersion
 import Dependencies.Versions.jimfsVersion
-import Dependencies.Versions.nettyVersion
 import Dependencies.Versions.nimbusJoseJwtVersion
 import Dependencies._
 import sbt._
@@ -42,7 +41,7 @@ object Dependencies {
     val confluentVersion = "7.1.1"
 
     val http4sVersion = "0.23.11"
-    val avroVersion   = "1.11.0"
+    val avroVersion   = "1.11.3"
     val avro4sVersion = "4.0.13"
 
     val catsVersion           = "2.7.0"
@@ -71,8 +70,6 @@ object Dependencies {
     val hadoopVersion       = "3.3.4"
     val woodstockVersion    = "5.4.0"
 
-    val nettyVersion = "4.1.97.Final"
-
     val nimbusJoseJwtVersion = "9.22"
 
     val jimfsVersion = "1.2"
@@ -211,15 +208,6 @@ object Dependencies {
   val connectApi               = "org.apache.kafka"          % "connect-api"            % Versions.kafkaVersion
   val slf4jApi                 = "org.slf4j"                 % "slf4j-api"              % Versions.slf4jVersion
 
-  lazy val nettyCodecHttp:    ModuleID = "io.netty" % "netty-codec-http"    % nettyVersion
-  lazy val nettyCodecSocks:   ModuleID = "io.netty" % "netty-codec-socks"   % nettyVersion
-  lazy val nettyCodec:        ModuleID = "io.netty" % "netty-codec"         % nettyVersion
-  lazy val nettyCommon:       ModuleID = "io.netty" % "netty-common"        % nettyVersion
-  lazy val nettyHandlerProxy: ModuleID = "io.netty" % "netty-handler-proxy" % nettyVersion
-  lazy val nettyHandler:      ModuleID = "io.netty" % "netty-handler"       % nettyVersion
-  lazy val nettyResolver:     ModuleID = "io.netty" % "netty-resolver"      % nettyVersion
-  lazy val nettyTransport:    ModuleID = "io.netty" % "netty-transport"     % nettyVersion
-
   lazy val jacksonCore: ModuleID = "com.fasterxml.jackson.core" % "jackson-core" % jacksonVersion
   lazy val jacksonDatabind: ModuleID =
     "com.fasterxml.jackson.core" % "jackson-databind" % jacksonDatabindVersion
@@ -284,16 +272,6 @@ trait Dependencies {
     logback,
   )
 
-  // override to the newest netty deps
-  val nettyDeps = Seq(nettyCodecHttp,
-                      nettyCodecSocks,
-                      nettyCodec,
-                      nettyCommon,
-                      nettyHandlerProxy,
-                      nettyHandler,
-                      nettyResolver,
-                      nettyTransport,
-  )
   val jacksonDeps = Seq(jacksonCore, jacksonModuleScala, jacksonDatabind, jacksonXml)
 
   // Specific modules dependencies
@@ -315,7 +293,7 @@ trait Dependencies {
     hadoopMapReduce,
     woodstock,
     jimfs,
-  ) ++ enumeratum ++ circe ++ http4s ++ nettyDeps).map(_.exclude("org.slf4j", "slf4j-log4j12"))
+  ) ++ enumeratum ++ circe ++ http4s).map(_.exclude("org.slf4j", "slf4j-log4j12"))
     .map(_.exclude("org.apache.logging.log4j", "log4j-slf4j-impl"))
     .map(_.exclude("com.sun.jersey", "*"))
     .map(
@@ -327,7 +305,7 @@ trait Dependencies {
       ),
     ) ++ jacksonDeps
 
-  val emsSinkOverrides = jacksonDeps ++ nettyDeps ++ Seq(avro, nimbusJoseJwt)
+  val emsSinkOverrides = jacksonDeps ++ Seq(avro, nimbusJoseJwt)
 
   // build plugins
   val kindProjectorPlugin = addCompilerPlugin("org.typelevel" %% "kind-projector" % Versions.kindProjectorVersion)