Skip to content

8481: Update lz4-java to 1.10.2 #694

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aptmac wants to merge 2 commits into
base: master
Choose a base branch
from
Open

8481: Update lz4-java to 1.10.2 #694

aptmac wants to merge 2 commits into from

Conversation

@aptmac
Copy link
Member

@aptmac aptmac commented Dec 12, 2025
edited by openjdk bot
Loading

There's currently a security advisory open for the version of lz4-java we are using. lz4-java had been archived, but has been updated by a new maintainer with a fix for the security issue.

See: GHSA-cmp6-m4wj-q63q

Progress

  • Commit message must refer to an issue
  • Change must be properly reviewed (1 review required, with at least 1 Committer)

Issue

  • JMC-8481: Update lz4-java to 1.10.2 (Bug - P4)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jmc.git pull/694/head:pull/694
$ git checkout pull/694

Update a local copy of the PR:
$ git checkout pull/694
$ git pull https://git.openjdk.org/jmc.git pull/694/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 694

View PR using the GUI difftool:
$ git pr show -t 694

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jmc/pull/694.diff

Using Webrev

Link to Webrev Comment

@bridgekeeper
Copy link

bridgekeeper bot commented Dec 12, 2025

👋 Welcome back aptmac! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk
Copy link

openjdk bot commented Dec 12, 2025

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

@openjdk
Copy link

openjdk bot commented Dec 12, 2025

@aptmac Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

@openjdk openjdk bot added the rfr label Dec 12, 2025
@mlbridge
Copy link

mlbridge bot commented Dec 12, 2025
edited
Loading

Webrevs

@openjdk
Copy link

openjdk bot commented Dec 12, 2025

@aptmac Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

@openjdk
Copy link

openjdk bot commented Dec 12, 2025

@aptmac Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

@aptmac
Copy link
Member Author

aptmac commented Dec 12, 2025

Will have to go back over this one, looks like the test case isn't able to find the lz4-java class that we're trying to use:

  NotificationModelTest>RjmxTestCase.mcTestCaseBefore:288->RjmxTestCase.createDefaultServerDesciptor:194 � NoClassDefFound net/jpountz/lz4/LZ4FrameInputStream
  NotificationModelTest>RjmxTestCase.mcTestCaseBefore:288->RjmxTestCase.createDefaultServerDesciptor:194 � NoClassDefFound net/jpountz/lz4/LZ4FrameInputStream
  NotificationTriggerAndRuleTest>RjmxTestCase.mcTestCaseBefore:288->RjmxTestCase.createDefaultServerDesciptor:194 � NoClassDefFound net/jpountz/lz4/LZ4FrameInputStream
  NotificationTriggerAndRuleTest>RjmxTestCase.mcTestCaseBefore:288->RjmxTestCase.createDefaultServerDesciptor:194 � NoClassDefFound net/jpountz/lz4/LZ4FrameInputStream
  NotificationTriggerAndRuleTest>RjmxTestCase.mcTestCaseBefore:288->RjmxTestCase.createDefaultServerDesciptor:194 � NoClassDefFound net/jpountz/lz4/LZ4FrameInputStream

@aptmac
Copy link
Member Author

aptmac commented Dec 12, 2025
edited
Loading

Hm, taking a look at the jar that's pulled in from maven central, the packages aren't exported:

Manifest-Version: 1.0
Automatic-Module-Name: org.lz4.java
Build-Jdk-Spec: 21
Bundle-ManifestVersion: 2
Bundle-Name: lz4-java
Bundle-SymbolicName: lz4-java
Bundle-Version: 0
Import-Package: java.io,java.lang,java.lang.reflect,java.nio,java.util
 ,java.util.zip,sun.misc
Originally-Created-By: Maven JAR Plugin 3.4.1
Private-Package: net.jpountz.lz4,net.jpountz.util,net.jpountz.util.dar
 win.aarch64,net.jpountz.util.darwin.x86_64,net.jpountz.util.linux.aar
 ch64,net.jpountz.util.linux.amd64,net.jpountz.util.linux.i386,net.jpo
 untz.util.linux.ppc64le,net.jpountz.util.linux.s390x,net.jpountz.util
 .win32.amd64,net.jpountz.xxhash
Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"

Edit: that require-capability on java 7 is also kind of suspicious

@aptmac
Copy link
Member Author

aptmac commented Dec 16, 2025

I contributed a PR to the new lz4-java repo, which should fix the package exports: yawkat/lz4-java#28

Will need to check back here once it's released and verify that it actually works.

@aptmac aptmac changed the title 8481: Update lz4-java to 1.10.1 8481: Update lz4-java to 1.10.2 Dec 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

rfr

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aptmac