[jira] [Comment Edited] (KAFKA-15203) Remove dependency on Reflections

Tue, 28 May 2024 04:07:23 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-15203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17849983#comment-17849983
 ] 

Ganesh Sadanala edited comment on KAFKA-15203 at 5/28/24 11:06 AM:
-------------------------------------------------------------------

[~chia7712] The library does not work as expected on projects using JDK 16+ 
There is no other library which can scan without the configuration 
files/metadata. I guess we have to wait until the deprecation is addressed.

 

Two problems due to delayed deprecation:
 # The implementation of `ServiceLoader` is not noticeable because it is used 
in combine with Reflections. So the performance wise no change is observed.
 # Security vulnerabilities would be still valid.

 

Unless it is a serious issue, it can be awaited. This is my opinion.


was (Author: JIRAUSER305566):
[~chia7712] The library does not work as expected on projects using JDK 16+ 
There is no other library which can scan without the configuration 
files/metadata. I guess we have to wait until the deprecation is addressed.

 

Two problem due to delayed deprecation:
 # The implementation of `ServiceLoader` is not noticeable because it is used 
in combine with Reflections. So the performance wise no change is observed.
 # Security vulnerabilities would be still valid.

 

Unless it is a serious issue, it can be awaited. This is my opinion.

> Remove dependency on Reflections 
> ---------------------------------
>
>                 Key: KAFKA-15203
>                 URL: https://issues.apache.org/jira/browse/KAFKA-15203
>             Project: Kafka
>          Issue Type: Bug
>          Components: connect
>            Reporter: Divij Vaidya
>            Assignee: Ganesh Sadanala
>            Priority: Major
>              Labels: newbie
>             Fix For: 5.0.0
>
>
> We currently depend on reflections library which is EOL. Quoting from the 
> GitHub site:
> _> Please note: Reflections library is currently NOT under active development 
> or maintenance_
>  
> This poses a supply chain risk for our project where the security fixes and 
> other major bugs in underlying dependency may not be addressed timely.
> Hence, we should plan to remove this dependency.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to