[jira] [Commented] (KAFKA-9060) Publish BOMs for Kafka

Wed, 11 Jun 2025 00:57:12 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-9060?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17959668#comment-17959668
 ] 

Marcel Stör commented on KAFKA-9060:
------------------------------------

This would be most welcome! Particularly so in situations like now where we get 
the Kafka dependencies through {{spring-kafka}}/{{spring-kafka-test}} but have 
to bump them due to vulnerabilities (3.8 -> 3.9.1 in this case).

> Publish BOMs for Kafka
> ----------------------
>
>                 Key: KAFKA-9060
>                 URL: https://issues.apache.org/jira/browse/KAFKA-9060
>             Project: Kafka
>          Issue Type: Improvement
>            Reporter: Michael Holler
>            Priority: Trivial
>
> Hey there! Love the project, but I would love it if there was a BOM file that 
> is published for each version. If you're not familiar with a BOM, it stands 
> for "Bill of Materials" it helps your Gradle (in my case, but it's originally 
> a Maven thing) file look like this (using JDBI's implementation as an 
> example):
> {code}
> dependencies {
>     implementation(platform("org.jdbi:jdbi3-bom:3.10.1"))
>     implementation("org.jdbi:jdbi3-core")
>     implementation("org.jdbi:jdbi3-kotlin")
>     implementation("org.jdbi:jdbi3-kotlin-sqlobject")
>     implementation("org.jdbi:jdbi3-jackson2")
> }
> {code}
> Instead of this:
> {code}
> val jdbiVersion by extra { "2.6.1" }
>  
> dependencies {
>     implementation("org.jdbi:jdbi3-core:$jdbiVersion")
>     implementation("org.jdbi:jdbi3-kotlin:$jdbiVersion")
>     implementation("org.jdbi:jdbi3-kotlin-sqlobject:$jdbiVersion")
>     implementation("org.jdbi:jdbi3-jackson2:$jdbiVersion")
> }
> {code}
> Notice how you just leave the versions off when you use a BOM. This can help 
> reduce the number of dependency compatibility surprises one can encounter, 
> especially if a transitive dependency brings in a newer version of one of the 
> components (it'll be reduced to the BOM's version). Note also that you still 
> have to list dependencies you want with a BOM, just not the versions.
> Here's a deeper dive into how a BOM works:
> https://howtodoinjava.com/maven/maven-bom-bill-of-materials-dependency/
>  The Maven help site also has a section on it (Ctrl+F for "BOM"):
> https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html
> I think BOMs would be a great for the users of the Kafka project because 
> there are lots of Kafka libraries (streams, connect-api, connect-json, etc) 
> that require the same version as other Kafka dependencies to work correctly. 
> BOMs were designed for exactly this use case. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to