Joe DiPol created KAFKA-15138: --------------------------------- Summary: Java kafka-clients compression dependencies should be optional Key: KAFKA-15138 URL: https://issues.apache.org/jira/browse/KAFKA-15138 Project: Kafka Issue Type: Bug Components: clients Affects Versions: 3.4.0 Reporter: Joe DiPol
If you look at [https://repo1.maven.org/maven2/org/apache/kafka/kafka-clients/3.4.0/kafka-clients-3.4.0.pom] You see that the dependencies for the compression libraries (like lz4-java) do NOT have "{{{}<optional>true</optional>{}}}". That means that these libraries are transitive dependencies which will be pulled (and potentially security scanned) for any project that uses kafka-clients. This is not correct. These compression libraries are optional and should not be transitive dependencies of kafka-clients. Therefore the above pom should state {{optional}} like: {{{{<dependency>}}}} {{{{ <groupId>org.lz4</groupId>}}}} {{{{ <artifactId>lz4-java</artifactId>}}}} {{{{ <version>1.8.0</version>}}}} {{{{ <scope>runtime</scope> }}}}{{{{ <optional>true</optional>}}}} {{{{</dependency>}}}} -- This message was sent by Atlassian Jira (v8.20.10#820010)