upgarde parquet-avro to address the CVE-2025-30065

[sumi-mathew]

Change Logs

The last published hudi-presto-bundle, 1.0.2, is using parquet-avro version 1.13.1

This unfortunately has two rather bothersome CVEs -

CVE-2025-46762, score 7.1/10 - Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata CVE-2025-30065, score 10/10 - Apache Parquet Avro Module Vulnerable to Arbitrary Code Execution

Git issue : https://github.com/apache/hudi/issues/13308

Impact

Describe any public API or user-facing feature change or any performance impact.

Risk level (write none, low medium or high below)

If medium or high, explain what verification was done to mitigate the risks.

Documentation Update

Describe any necessary documentation update if there is any new feature, config, or user-facing change. If not, put "none".

• The config description must be updated if new configs are added or the default value of the configs are changed
• Any new feature or user-facing change requires updating the Hudi website. Please create a Jira ticket, attach the ticket number here and follow the instruction to make changes to the website.

Contributor's checklist

• [ ] Read through contributor's guide
• [ ] Change Logs and Impact were stated clearly
• [ ] Adequate tests were added if applicable
• [ ] CI passed

[sumi-mathew]

@yihua / @danny0405 Could you please review this PR

[sumi-mathew]

@sumi-mathew Have you tested this change with Presto to make sure the new Presto bundle with Parquet 1.15.2 is compatible with Presto?

yes

[sumi-mathew]

@yihua Could you please re review this PR

[hudi-bot]

CI report:

• 07f924bdc07cc3d70dd15d889ae3169f36bb7414 Azure: SUCCESS

Bot commands

@hudi-bot supports the following commands:

• @hudi-bot run azure re-run the last Azure build