[jira] [Comment Edited] (KAFKA-15138) Java kafka-clients compression dependencies should be optional

Mon, 24 Jun 2024 05:08:06 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-15138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17859653#comment-17859653
 ] 

Romain Quinio edited comment on KAFKA-15138 at 6/24/24 12:07 PM:
-----------------------------------------------------------------

Any news on this ?  Lz4-java is no longer maintained since 2021 
([https://github.com/lz4/lz4-java/issues/196|https://github.com/lz4/lz4-java/issues/196).]),
 so kafka-client is bringing transitive dependency lz4-java with security 
vulnerabilities.

Or is there a workaround of excluding via dependency management the 
dependencies to compression protocols that are not used ? Or would that cause 
classloading error into Kafka ?


was (Author: rquinio):
Any news on this ?  Lz4-java is no longer maintained since 2021 
([https://github.com/lz4/lz4-java/issues/196|https://github.com/lz4/lz4-java/issues/196).]),
 so kafka-client is bringing transitive dependency lz4-java with security 
vulnerabilities.

Or is there a workaround of excluding via dependency management the 
dependencies to compression protocols that are not used ? Or would that cause 
classloading error into Kafka ?

 

> Java kafka-clients compression dependencies should be optional
> --------------------------------------------------------------
>
>                 Key: KAFKA-15138
>                 URL: https://issues.apache.org/jira/browse/KAFKA-15138
>             Project: Kafka
>          Issue Type: Bug
>          Components: clients
>    Affects Versions: 3.4.0
>            Reporter: Joe DiPol
>            Priority: Major
>
> If you look at
> [https://repo1.maven.org/maven2/org/apache/kafka/kafka-clients/3.4.0/kafka-clients-3.4.0.pom]
> You see that the dependencies for the compression libraries (like lz4-java) 
> do NOT have "{{{}<optional>true</optional>{}}}". That means that these 
> libraries are transitive dependencies which will be pulled (and potentially 
> security scanned) for any project that uses kafka-clients. 
> This is not correct. These compression libraries are optional and should not 
> be transitive dependencies of kafka-clients. Therefore the above pom should 
> state {{optional}} like:
> {{
> <dependency>
>     <groupId>org.lz4</groupId>
>     <artifactId>lz4-java</artifactId>
>     <version>1.8.0</version>
>     <scope>runtime</scope>
>     <optional>true</optional>
> </dependency>
> }}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to