[
https://issues.apache.org/jira/browse/KAFKA-15138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17859653#comment-17859653
]
Romain Quinio commented on KAFKA-15138:
---------------------------------------
Any news on this ? Lz4-java is no longer maintained since 2021
([https://github.com/lz4/lz4-java/issues/196|https://github.com/lz4/lz4-java/issues/196).]),
so kafka-client is bringing transitive dependency lz4-java with security
vulnerabilities.
Or is there a workaround of excluding via dependency management the
dependencies to compression protocols that are not used ? Or would that cause
classloading error into Kafka ?
> Java kafka-clients compression dependencies should be optional
> --------------------------------------------------------------
>
> Key: KAFKA-15138
> URL: https://issues.apache.org/jira/browse/KAFKA-15138
> Project: Kafka
> Issue Type: Bug
> Components: clients
> Affects Versions: 3.4.0
> Reporter: Joe DiPol
> Priority: Major
>
> If you look at
> [https://repo1.maven.org/maven2/org/apache/kafka/kafka-clients/3.4.0/kafka-clients-3.4.0.pom]
> You see that the dependencies for the compression libraries (like lz4-java)
> do NOT have "{{{}<optional>true</optional>{}}}". That means that these
> libraries are transitive dependencies which will be pulled (and potentially
> security scanned) for any project that uses kafka-clients.
> This is not correct. These compression libraries are optional and should not
> be transitive dependencies of kafka-clients. Therefore the above pom should
> state {{optional}} like:
> {{
> <dependency>
> <groupId>org.lz4</groupId>
> <artifactId>lz4-java</artifactId>
> <version>1.8.0</version>
> <scope>runtime</scope>
> <optional>true</optional>
> </dependency>
> }}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
