[fix][schema] Replace archived hamba/avro/v2 with maintained iskorotkov/avro/v2 fork#1518
Open
twmb wants to merge 1 commit into
Open
[fix][schema] Replace archived hamba/avro/v2 with maintained iskorotkov/avro/v2 fork#1518twmb wants to merge 1 commit into
twmb wants to merge 1 commit into
Conversation
…ov/avro/v2 fork github.com/hamba/avro/v2 was archived in January 2026 and is no longer maintained; the maintainer confirmed it and endorsed forking (hamba/avro#595). It carries two advisories with no upstream fix: CVE-2026-46384 (GHSA-mc57-h6j3-3hmv) and CVE-2026-46385 (GHSA-w8j3-pq8g-8m7w). Switch the Avro dependency to the maintained fork github.com/iskorotkov/avro/v2 v2.33.1, which carries the fixes/mitigations (recorded in golang/vulndb#5047 and #5046). It is a drop-in replacement -- same package name and the same Parse/Marshal/Unmarshal API -- so the only code change is a single import-path swap in pulsar/schema.go. The fork is wire-compatible: byte-identical Avro output to hamba for the same schema, and each library cleanly decodes the other's encoded bytes. Signed-off-by: Travis Bischel <travis@redpanda.com> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
0d3653f to
90eefc8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
github.com/hamba/avro/v2, used bypulsar/schema.gofor Avro encode/decode, was archived in January 2026 and is no longer maintained. The maintainer confirmed this and explicitly endorsed forking — hamba/avro#595 ("there will be no more releases on this project... You can fix the issue in your own fork if you wish"). It carries two advisories with no upstream fix:The maintained fork
github.com/iskorotkov/avro/v2carries the fixes/mitigations. This is recorded in the official Go vulnerability database triage, where the fork author identified it as the source of the fix:Modifications
Switch the Avro dependency to
github.com/iskorotkov/avro/v2(v2.33.1). It is a drop-in replacement — same package name and the sameParse/Marshal/UnmarshalAPI — so the only code change is a single import-path swap inpulsar/schema.go.go mod tidyadditionally prunes some already-orphaned indirect deps and applies minor MVS-forced version bumps pulled in by the fork. The fork is wire-compatible: it produces byte-identical Avro output to hamba for the same schema, and each library cleanly decodes the other's encoded bytes.Alternative:
github.com/twmb/avrois my own maintained repo, not a fork, with a slightly different approach. This could be used instead if interested, but the patch as is is the minimal fix.