[SECURITY] Upgrade protobuf-java and commons-compress version to fix …

…CVE (apache#3436)

paimon-format/pom.xml

@@ -39,7 +39,7 @@ under the License.
         <commons.lang3.version>3.12.0</commons.lang3.version>
         <zstd-jni.version>1.5.5-11</zstd-jni.version>
         <storage-api.version>2.8.1</storage-api.version>
-        <protobuf-java.version>3.17.3</protobuf-java.version>
+        <protobuf-java.version>3.19.6</protobuf-java.version>
     </properties>
 
     <dependencies>
@@ -89,6 +89,10 @@ under the License.
                     <groupId>com.google.protobuf</groupId>
                     <artifactId>protobuf-java</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-compress</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
 

paimon-format/src/main/resources/META-INF/NOTICE

@@ -17,7 +17,7 @@ This project bundles the following dependencies under the Apache Software Licens
 - com.fasterxml.jackson.core:jackson-core:2.14.2
 - com.fasterxml.jackson.core:jackson-databind:2.14.2
 - com.fasterxml.jackson.core:jackson-annotations:2.14.2
-- org.apache.commons:commons-compress:1.4.1
+- org.apache.commons:commons-compress:1.22
 
 - org.apache.parquet:parquet-hadoop:1.13.1
 - org.apache.parquet:parquet-column:1.13.1
@@ -31,6 +31,6 @@ This project bundles the following dependencies under the BSD license.
 You find it under licenses/LICENSE.protobuf, licenses/LICENSE.zstd-jni
 and licenses/LICENSE.threeten-extra
 
-- com.google.protobuf:protobuf-java:3.17.3
+- com.google.protobuf:protobuf-java:3.19.6
 - com.github.luben:zstd-jni:1.5.5-11
 - org.threeten:threeten-extra:1.7.1