Joe DiPol created KAFKA-15138:
---------------------------------
Summary: Java kafka-clients compression dependencies should be
optional
Key: KAFKA-15138
URL: https://issues.apache.org/jira/browse/KAFKA-15138
Project: Kafka
Issue Type: Bug
Components: clients
Affects Versions: 3.4.0
Reporter: Joe DiPol
If you look at
[https://repo1.maven.org/maven2/org/apache/kafka/kafka-clients/3.4.0/kafka-clients-3.4.0.pom]
You see that the dependencies for the compression libraries (like lz4-java) do
NOT have "{{{}<optional>true</optional>{}}}". That means that these libraries
are transitive dependencies which will be pulled (and potentially security
scanned) for any project that uses kafka-clients.
This is not correct. These compression libraries are optional and should not be
transitive dependencies of kafka-clients. Therefore the above pom should state
{{optional}} like:
{{{{<dependency>}}}}
{{{{ <groupId>org.lz4</groupId>}}}}
{{{{ <artifactId>lz4-java</artifactId>}}}}
{{{{ <version>1.8.0</version>}}}}
{{{{ <scope>runtime</scope>
}}}}{{{{ <optional>true</optional>}}}}
{{{{</dependency>}}}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
