Skip to content

fix: optimize code and update risky deps #2918

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
VGalaxies merged 6 commits into from
Jan 4, 2026
Merged

fix: optimize code and update risky deps #2918

VGalaxies merged 6 commits into from
Jan 4, 2026

Conversation

@kenssa4eedfd
Copy link
Contributor

@kenssa4eedfd kenssa4eedfd commented Dec 15, 2025
edited
Loading

Purpose of the PR

  • optimize code and update dependencies

Main Changes

Verifying these changes

  • Trivial rework / code cleanup without any test coverage. (No Need)
  • Already covered by existing tests, such as (please modify tests here).
  • Need tests and can be verified as follows:

Does this PR potentially affect the following parts?

Documentation Status

  • Doc - TODO
  • Doc - Done
  • Doc - No Need

@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. bug Something isn't working labels Dec 15, 2025
@kenssa4eedfd kenssa4eedfd changed the title fix:Resolve potential security issues in the project fix:optimize code and update dependencies Dec 15, 2025
imbajin
imbajin reviewed Dec 15, 2025
View reviewed changes
imbajin
imbajin reviewed Dec 15, 2025
View reviewed changes
imbajin
imbajin reviewed Dec 15, 2025
View reviewed changes
@dosubot dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. and removed size:M This PR changes 30-99 lines, ignoring generated files. labels Dec 16, 2025
@codecov
Copy link

codecov bot commented Dec 16, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 83.33333% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 31.90%. Comparing base (18569c4) to head (ff0565a).
⚠️ Report is 3 commits behind head on master.

Files with missing lines Patch % Lines
...n/java/org/apache/hugegraph/util/CompressUtil.java 83.33% 1 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##             master    #2918      +/-   ##
============================================
- Coverage     35.61%   31.90%   -3.71%     
- Complexity      333      488     +155     
============================================
  Files           802      802              
  Lines         67539    67539              
  Branches       8774     8774              
============================================
- Hits          24051    21551    -2500     
- Misses        40927    43587    +2660     
+ Partials       2561     2401     -160

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. and removed size:S This PR changes 10-29 lines, ignoring generated files. labels Dec 16, 2025
@imbajin imbajin requested a review from Copilot December 17, 2025 08:16
Copilot AI reviewed Dec 17, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses security concerns by updating the lz4-java dependency and strengthening password hashing, while also refactoring zip slip protection code for better maintainability.

  • Updates lz4-java from versions 1.7.1/1.8.0 to 1.8.1 in response to a security vulnerability
  • Increases BCrypt work factor from 4 to 12 to strengthen password hashing security
  • Refactors the zipSlipProtect method signature to accept a String instead of ArchiveEntry for better code reuse

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
install-dist/scripts/dependency/known-dependencies.txt Updates dependency tracking to replace old lz4-java versions with 1.8.1
install-dist/release-docs/licenses/LICENSE-lz4-java-1.8.1.txt Adds Apache 2.0 license file for the new lz4-java version
install-dist/release-docs/licenses/LICENSE-lz4-java-1.8.0.txt Removes obsolete license file for lz4-java 1.8.0
install-dist/release-docs/LICENSE Adds reference to lz4-java 1.8.1 in the main license file
hugegraph-struct/pom.xml Updates lz4-java dependency version from 1.7.1 to 1.8.1 with CVE reference
hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java Increases BCrypt work factor from 4 to 12 for stronger password hashing
hugegraph-server/hugegraph-core/pom.xml Updates lz4-java version property from 1.8.0 to 1.8.1 with CVE reference
hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java Increases BCrypt work factor from 4 to 12 for stronger password hashing
hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/CompressUtil.java Refactors zipSlipProtect to accept String instead of ArchiveEntry, applies protection to decompressZip
hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java Adds backward compatibility test for BCrypt work factor change

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@kenssa4eedfd kenssa4eedfd requested a review from imbajin December 17, 2025 09:19
@imbajin imbajin requested a review from Copilot December 17, 2025 09:56
Copilot AI reviewed Dec 17, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 9 out of 10 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

imbajin
imbajin reviewed Dec 18, 2025
View reviewed changes
@imbajin imbajin changed the title fix:optimize code and update dependencies fix: optimize code and update risky deps Dec 18, 2025
@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Dec 18, 2025
@imbajin imbajin requested review from Pengzna and zyxxoo December 18, 2025 06:48
@imbajin imbajin requested review from VGalaxies and coderzc January 4, 2026 07:03
@VGalaxies VGalaxies merged commit 423ede0 into apache:master Jan 4, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@imbajin imbajin imbajin approved these changes

@VGalaxies VGalaxies VGalaxies approved these changes

@zyxxoo zyxxoo Awaiting requested review from zyxxoo

@Pengzna Pengzna Awaiting requested review from Pengzna

@coderzc coderzc Awaiting requested review from coderzc

Assignees

No one assigned

Labels

bug Something isn't working lgtm This PR has been approved by a maintainer size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kenssa4eedfd @imbajin @VGalaxies