fix(deps): update dependency org.apache.avro:avro to v1.11.5 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
org.apache.avro:avro (source)	1.11.4 → 1.11.5

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-33042

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.

This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.

Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.

---

Release Notes

apache/avro (org.apache.avro:avro)

v1.11.5

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Summary of Changes

Hello @renovate-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request upgrades the Apache Avro Java SDK dependency to a patched version. The primary goal is to resolve a recently disclosed security vulnerability, ensuring the project utilizes a more secure and stable version of the library.

Highlights

• Dependency Update: Updated the org.apache.avro:avro dependency from version 1.11.4 to 1.11.5.
• Security Fix: This update addresses CVE-2025-33042, a critical code injection vulnerability in the Apache Avro Java SDK.

Changelog

• spanner/changestreams/pom.xml
  • Updated the org.apache.avro:avro dependency version to 1.11.5.

Activity

• The pull request was automatically generated by renovate-bot.
• Automerge is enabled for this pull request, indicating it is set to merge automatically once all checks pass.
• The PR explicitly addresses a security vulnerability (CVE-2025-33042) in the org.apache.avro:avro dependency.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly updates the org.apache.avro:avro dependency to version 1.11.5, addressing the security vulnerability CVE-2025-33042. The change is correct and necessary. While this PR is good to merge, I'd like to point out a potential area for future improvement. The pom.xml file uses shared-configuration version 1.2.0. A general rule for this repository is to keep the shared-configuration parent at the latest version. It would be beneficial to verify if this and other core dependencies like libraries-bom are up-to-date and, if not, update them in a separate PR to maintain project health and security.