hi Ming-Yen Thanks for updating the KIP. It's a shame we can't adopt SLF4J 2 just yet, but it's great to hear that Jetty is stepping up to make our lives easier.
> Ming-Yen Chung <[email protected]> 於 2026年3月29日 下午6:44 寫道: > > Hi all, > > This KIP is no longer needed. > > The Jetty team has reverted all SLF4J 2.x fluent API usage: > - Jetty 12.0.x: https://github.com/jetty/jetty.project/pull/14642 (merged, > targeting 12.0.34) > - Jetty 12.1.x: https://github.com/jetty/jetty.project/pull/14748 (merged, > targeting 12.1.8) > > The Jetty maintainer also indicated that Jetty 13.0.x will likely stay on > non-fluent APIs as well (https://github.com/jetty/jetty.project/issues/14747 > ). > > This means Kafka can upgrade Jetty directly without any shadowing once > Jetty 12.0.34 is released, resolving both CVEs (KAFKA-20270, KAFKA-20283). > I will withdraw this KIP. > > Thanks Chia-Ping for the questions. Regarding the shadow approach, it would > have had a minor limitation where users who replaced Log4j2 with an > alternative backend would lose Jetty's logs, but this is no longer relevant > since we don't need shadowing anymore. > > Thanks, > Ming-Yen > > Chia-Ping Tsai <[email protected]> 於 2026年3月19日週四 上午7:00寫道: > >> hi Ming-Yen >> >> thanks for this KIP. A couple of questions are listed below. >> >> 1. what happens if users replace the log4j2 impl by other log framework >> when running worker? >> 2. what we should do if kafka 5.0 is going to upgrade to slf4j 2? >> >> Best, >> Chia-Ping >> >> >>> On 2026/03/16 14:41:54 Ming-Yen Chung wrote: >>> Hi all, >>> >>> I would like to start a discussion on >>> KIP-1296: Shadow Jetty dependencies to decouple from SLF4J version >> conflict >>> <https://cwiki.apache.org/confluence/x/c5I8G> >>> >>> Kafka is pinned to Jetty 12.0.25 because Jetty 12.0.30+ uses SLF4J 2.x >>> fluent API calls that cause NoSuchMethodError with Kafka's SLF4J 1.7.x. >>> This blocks two CVE fixes (KAFKA-20270, KAFKA-20283). >>> >>> This KIP proposes a shadow JAR module that bundles Jetty with a relocated >>> slf4j-api 2.x, allowing Jetty to use SLF4J 2.x internally without >>> affecting Kafka's SLF4J 1.x. No public interfaces are changed. >>> >>> Example PR: https://github.com/apache/kafka/pull/21773 >>> >>> Thanks, >>> Ming-Yen >>> >>
