This is an automated email from the ASF dual-hosted git repository.
chia7712 pushed a commit to branch 4.1
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/4.1 by this push:
new 2fdef21f0e5 KAFKA-20168 Add comment to explain why we don't upgrade
jetty version (4.1) (#21775)
2fdef21f0e5 is described below
commit 2fdef21f0e548e83385fb3dfad10a0e428ae83ea
Author: Ming-Yen Chung <[email protected]>
AuthorDate: Tue Mar 17 03:01:07 2026 +0800
KAFKA-20168 Add comment to explain why we don't upgrade jetty version (4.1)
(#21775)
Follow-up to
https://github.com/apache/kafka/pull/21561#issuecomment-4068484146.
Add a comment explaining why Jetty is pinned to 12.0.25 on the 4.1 and
4.0 branches, matching the comment already present on trunk and 4.2.
Reviewers: Chia-Ping Tsai <[email protected]>
---
gradle/dependencies.gradle | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index e5844bcd259..3c625763a8d 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -66,6 +66,10 @@ versions += [
jackson: "2.19.4",
jacoco: "0.8.13",
javassist: "3.30.2-GA",
+ // Jetty 12.0.30+ introduced SLF4J 2.x fluent API usage (e.g.
Logger.atDebug()) in production
+ // code, which causes NoSuchMethodError at runtime since Kafka uses SLF4J
1.7.x.
+ // 12.0.25 is the version that includes the CVE-2025-5115 fix while only
using the
+ // SLF4J 2.x fluent API in test code, avoiding the runtime incompatibility.
jetty: "12.0.25",
jersey: "3.1.10",
jline: "3.30.4",
