[ https://issues.apache.org/jira/browse/KAFKA-15138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17859653#comment-17859653 ]
Romain Quinio edited comment on KAFKA-15138 at 6/24/24 12:07 PM: ----------------------------------------------------------------- Any news on this ? Lz4-java is no longer maintained since 2021 ([https://github.com/lz4/lz4-java/issues/196|https://github.com/lz4/lz4-java/issues/196).]), so kafka-client is bringing transitive dependency lz4-java with security vulnerabilities. Or is there a workaround of excluding via dependency management the dependencies to compression protocols that are not used ? Or would that cause classloading error into Kafka ? was (Author: rquinio): Any news on this ? Lz4-java is no longer maintained since 2021 ([https://github.com/lz4/lz4-java/issues/196|https://github.com/lz4/lz4-java/issues/196).]), so kafka-client is bringing transitive dependency lz4-java with security vulnerabilities. Or is there a workaround of excluding via dependency management the dependencies to compression protocols that are not used ? Or would that cause classloading error into Kafka ? > Java kafka-clients compression dependencies should be optional > -------------------------------------------------------------- > > Key: KAFKA-15138 > URL: https://issues.apache.org/jira/browse/KAFKA-15138 > Project: Kafka > Issue Type: Bug > Components: clients > Affects Versions: 3.4.0 > Reporter: Joe DiPol > Priority: Major > > If you look at > [https://repo1.maven.org/maven2/org/apache/kafka/kafka-clients/3.4.0/kafka-clients-3.4.0.pom] > You see that the dependencies for the compression libraries (like lz4-java) > do NOT have "{{{}<optional>true</optional>{}}}". That means that these > libraries are transitive dependencies which will be pulled (and potentially > security scanned) for any project that uses kafka-clients. > This is not correct. These compression libraries are optional and should not > be transitive dependencies of kafka-clients. Therefore the above pom should > state {{optional}} like: > {{ > <dependency> > <groupId>org.lz4</groupId> > <artifactId>lz4-java</artifactId> > <version>1.8.0</version> > <scope>runtime</scope> > <optional>true</optional> > </dependency> > }} -- This message was sent by Atlassian Jira (v8.20.10#820010)