This is an automated email from the ASF dual-hosted git repository.
chia7712 pushed a commit to branch 4.0
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/4.0 by this push:
new f42e4dff959 KAFKA-20168 Add comment to explain why we don't upgrade
jetty version (#21776)
f42e4dff959 is described below
commit f42e4dff9593aa99e3db58e5846474d385808b8e
Author: Ming-Yen Chung <[email protected]>
AuthorDate: Tue Mar 17 03:01:45 2026 +0800
KAFKA-20168 Add comment to explain why we don't upgrade jetty version
(#21776)
Follow-up to
https://github.com/apache/kafka/pull/21561#issuecomment-4068484146.
Add a comment explaining why Jetty is pinned to 12.0.25 on the 4.1 and
4.0 branches, matching the comment already present on trunk and 4.2.
Reviewers: Chia-Ping Tsai <[email protected]>
---
gradle/dependencies.gradle | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index e855fba9619..07595b227a9 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -69,6 +69,10 @@ versions += [
jackson: "2.18.6",
jacoco: "0.8.10",
javassist: "3.29.2-GA",
+ // Jetty 12.0.30+ introduced SLF4J 2.x fluent API usage (e.g.
Logger.atDebug()) in production
+ // code, which causes NoSuchMethodError at runtime since Kafka uses SLF4J
1.7.x.
+ // 12.0.25 is the version that includes the CVE-2025-5115 fix while only
using the
+ // SLF4J 2.x fluent API in test code, avoiding the runtime incompatibility.
jetty: "12.0.25",
jersey: "3.1.10",
jline: "3.25.1",
