[Task]: Remove Avro dependency from "sdks/java/core" #24292
Description
What needs to happen?
Beam Java SDK still depends on the rather old version of Avro (1.8.2) whereas the latest version of Avro is 1.11.0 for the moment (Avro 1.11.1 is coming soon). Unfortunately, Avro 1.8.2 dependency brings several CVEs, though the latest Avro 1.11.0 brings only one.
Several attempts to bump Beam Avro dependency to more recent ones have been done in the past but all of them were not successful because of different reasons. Mostly, because this update with introduce some incompatible changes that Avro made between the versions and this may affect directly the Beam users and, potentially, it may affect the transitive dependencies while using Beam with other projects that use Avro as well.
It was decided to copy all Java Avro-related code from sdks/java/core to a dedicated extension, deprecate old code and finally remove it.
More details can be found here:
https://lists.apache.org/thread/47oz1mlwj0orvo1458v5pw5c20bwt08q
- [Task]: [Avro] Create Avro extension for Java SDK #24293
- [Task]: [Avro] Use "extensions/avro" instead of avro from"core" in Java SDK modules #24748
- [Task]: [Avro] Add support of different Avro versions for extension #25215
- [Task]: [Avro] Deprecate Avro API classes in "sdks/java/core" #24749
- [Task]: [Avro] Stop using Avro in "core" #25252
- [Task]: [Avro] Update Beam documentation #24798
Issue Priority
Priority: 2
Issue Component
Component: io-java-avro