Hi all, This KIP is no longer needed.
The Jetty team has reverted all SLF4J 2.x fluent API usage: - Jetty 12.0.x: https://github.com/jetty/jetty.project/pull/14642 (merged, targeting 12.0.34) - Jetty 12.1.x: https://github.com/jetty/jetty.project/pull/14748 (merged, targeting 12.1.8) The Jetty maintainer also indicated that Jetty 13.0.x will likely stay on non-fluent APIs as well (https://github.com/jetty/jetty.project/issues/14747 ). This means Kafka can upgrade Jetty directly without any shadowing once Jetty 12.0.34 is released, resolving both CVEs (KAFKA-20270, KAFKA-20283). I will withdraw this KIP. Thanks Chia-Ping for the questions. Regarding the shadow approach, it would have had a minor limitation where users who replaced Log4j2 with an alternative backend would lose Jetty's logs, but this is no longer relevant since we don't need shadowing anymore. Thanks, Ming-Yen Chia-Ping Tsai <[email protected]> 於 2026年3月19日週四 上午7:00寫道: > hi Ming-Yen > > thanks for this KIP. A couple of questions are listed below. > > 1. what happens if users replace the log4j2 impl by other log framework > when running worker? > 2. what we should do if kafka 5.0 is going to upgrade to slf4j 2? > > Best, > Chia-Ping > > > On 2026/03/16 14:41:54 Ming-Yen Chung wrote: > > Hi all, > > > > I would like to start a discussion on > > KIP-1296: Shadow Jetty dependencies to decouple from SLF4J version > conflict > > <https://cwiki.apache.org/confluence/x/c5I8G> > > > > Kafka is pinned to Jetty 12.0.25 because Jetty 12.0.30+ uses SLF4J 2.x > > fluent API calls that cause NoSuchMethodError with Kafka's SLF4J 1.7.x. > > This blocks two CVE fixes (KAFKA-20270, KAFKA-20283). > > > > This KIP proposes a shadow JAR module that bundles Jetty with a relocated > > slf4j-api 2.x, allowing Jetty to use SLF4J 2.x internally without > > affecting Kafka's SLF4J 1.x. No public interfaces are changed. > > > > Example PR: https://github.com/apache/kafka/pull/21773 > > > > Thanks, > > Ming-Yen > > >
