Hi Tom, Thanks for starting this discussion. I think it's a good idea to do another 4.1.0 release before proceeding with 5.0 to offer a release with the vulnerability fixed without requiring users to upgrade to Kafka 4.0. Is there a reason you prefer to do the 4.1.0 release instead of the 4.0.1 release? I reviewed the changes between the current main and the release 4.0.0 [1], and they are mostly dependency upgrades and some fixes, but without any new features. What do you think about doing a 4.0.1 release and then kicking off 5.0.0 with the Kafka client upgrade?
Best, Fabian [1] https://github.com/apache/flink-connector-kafka/compare/v4.0...main On Fri, Jul 25, 2025 at 11:58 AM Tom Cooper <[email protected]> wrote: > > Bumping this thread as we are now ready to merge the Kafka 4.0.0 client > update PR [1]. This will bump the major version of the connector to 5.0, as > we are dropping support for Kafka brokers running version 2.0.0 or earlier. > > However, I still think it would be worth doing a 4.1.0 release of the > connector (with the Kafka 3.9.1 client), before the Kafka 4.0.0 client update > is merged. > > The current Flink Kafka Connector (4.0) has a critical CVE [2], which is > patched in the 3.9.1 Kafka client library (which the current main branch of > the Flink connector is using). Doing a 4.1 release of the connector would > cover any users of older Kafka versions that want this CVE patched and also > give a stable release of the connector using a point release of the Kafka > client (with all the bug fixes that entails). This would be a good option for > users who don't want to jump straight onto the new major Kafka client version. > > What do people think? > > Tom Cooper > @tomcooper.dev | https://tomcooper.dev > > [1] https://github.com/apache/flink-connector-kafka/pull/161 > [2] https://nvd.nist.gov/vuln/detail/CVE-2025-27817 > > > On Wednesday, 9 July 2025 at 09:35, Tom Cooper <[email protected]> wrote: > > > Hi, > > > > I would like to start a conversation about releases for the Flink Connector > > Kafka project. > > > > We have recently updated [0] to version 3.9.1 of the Kafka client library, > > which fixes a critical CVE [1]. With that in mind, I think it would be > > prudent to have a 4.1.0 release as soon as possible that includes this. It > > would also be good to include the dependency bumps from this PR [2] in that > > release. > > > > With the 4.1.0 release out, we could then move to looking at the Kafka 4.0 > > upgrade (there is already a PR [3] for that). The main point with the Kafka > > 4.0 upgrade is that it drops support for Kafka brokers running version > > 2.0.0 and lower. Given this, I think it would make sense to move the > > Connector version to 5.0.0 and maybe even move to Flink 2.1.0 (which should > > be available in a month or so). This 5.0.0 release could also remove all > > the Zookeeper specific test infra and move to KRaft based clusters for > > testing. We could also move to a new, updated Flink Connector Parent pom > > version [4] which would harmonise the java versions and plugins with the > > main Flink project. > > > > I think, if the above is acceptable, that these changes warrant a major > > version bump. Users of older Kafka clusters would still be able to use > > 4.1.0 (which is an argument for making sure that release has the most > > up-to-date dependencies). > > > > Anyway, I would love to hear what the community think of the above. > > > > Thanks, > > > > Tom Cooper > > @tomcooper.dev | https://tomcooper.dev > > > > [0] https://github.com/apache/flink-connector-kafka/pull/180 > > [1] https://nvd.nist.gov/vuln/detail/CVE-2025-27817 > > [2] https://github.com/apache/flink-connector-kafka/pull/181 > > [3] https://github.com/apache/flink-connector-kafka/pull/161 > > [4] https://github.com/apache/flink-connector-shared-utils/pull/48
