Address CVE-2025-66566. update lz4 version (databricks#1142)

shivam2680 · web-flow · commit 7dc41bc778b6 · 2025-12-16T17:48:35.000+05:30
## Description  Address CVE https://github.com/databricks/databricks-jdbc/security/dependabot/3. update lz4 to suggested version https://mvnrepository.com/artifact/at.yawk.lz4/lz4-java/1.10.1 ## Testing  existing tests ## Additional Notes to the Reviewer
diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
@@ -11,6 +11,7 @@
 ### Fixed
 - Fix timeout exception handling to throw `SQLTimeoutException` instead of `DatabricksSQLException` when queries timeout.
 - Removes dangerous global timezone modification that caused race conditions.
+- CVE-2025-66566. Updated lz4-java dependency to 1.10.1.
 
 ---
 *Note: When making changes, please add your change under the appropriate section with a brief description.*
diff --git a/pom.xml b/pom.xml
@@ -61,7 +61,7 @@
     <databricks-sdk.version>0.69.0</databricks-sdk.version>
     <maven-surefire-plugin.version>3.1.2</maven-surefire-plugin.version>
     <sql-logic-test.version>0.3</sql-logic-test.version>
-    <lz4-compression.version>1.8.1</lz4-compression.version>
+    <lz4-compression.version>1.10.1</lz4-compression.version>
     <thrift.version>0.19.0</thrift.version>
     <annotation.version>1.3.5</annotation.version>
     <slt.executor>dbsql</slt.executor>
@@ -230,7 +230,7 @@
       <scope>test</scope>
     </dependency>
     <dependency>
-      <groupId>org.lz4</groupId>
+      <groupId>at.yawk.lz4</groupId>
       <artifactId>lz4-java</artifactId>
       <version>${lz4-compression.version}</version>
     </dependency>
diff --git a/thin_public_pom.xml b/thin_public_pom.xml
@@ -168,9 +168,9 @@
 
     <!-- Compression -->
     <dependency>
-      <groupId>org.lz4</groupId>
+      <groupId>at.yawk.lz4</groupId>
       <artifactId>lz4-java</artifactId>
-      <version>1.8.1</version>
+      <version>1.10.1</version>
     </dependency>
     
     <!-- gRPC Context -->
