viktorsomogyi commented on PR #15914: URL: https://github.com/apache/kafka/pull/15914#issuecomment-2136890317
@sjhajharia thanks for highlighting the CVE, it's important to consider them. This version bump doesn't fix the CVE indeed as you highlighted, but it is present in older versions too, so it doesn't really make it worse either. My reason for this version bump is simply to get in sync with our downstream software and also 3.9.5 depends on slf4j-1.7.36 which is Kafka's current slf4j dependency, whereas 3.9.4 depends on slf4j-1.7.30. So in this sense it's more about aligning dependencies rather than fixing CVEs. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
