Re: [PR] MINOR: Upgrade dependencies versions for bouncycastle and jgit-related libraries [kafka]

Thu, 05 Mar 2026 09:22:19 -0800 


dejan2609 commented on PR #21583:
URL: https://github.com/apache/kafka/pull/21583#issuecomment-4006511351

   Thanx for a merge ! Here is my follow-up :arrow_down_small:  
   
   >  _Out of curiosity how did you come across this?_ 
   
   I started this PR #21295 and then I abandoned it because it was too big and 
on top of that: even though I tried to be cautious and to use patch and 
non-breaking minor version updates only one could never be 100 % sure - 
herewith some examples:
    - https://issues.apache.org/jira/browse/KAFKA-19792 Gradle build fails 
after Swagger patch version update 
    - https://issues.apache.org/jira/browse/KAFKA-20168 Upgrade jetty to fix 
CVE-2025-5115
   ```
   dejan@dejan:~/kafka$ git log --oneline | grep KAFKA-20168
   e3bb2b8d01 KAFKA-20168 Downgrade Jetty from 12.0.32 to 12.0.25 to fix SLF4J 
2.x incompatibility (#21559)
   24b243cc30 KAFKA-20168 Upgrade Jetty from 12.0.22 to 12.0.32 to fix 
CVE-2025-5115 (#21452)
   dejan@dejan:~/kafka$
   ```
   All-in-all: I decided to split this overzealous PR into a series of smaller 
PR's. It goes without saying that versions that are solving CVE's are stealing 
the show, so I scrapped this one first (and I have a few more in my backlog).
   
   > _Is this caught by our CVE scanner done on trunk once a day? If not, is 
there something we need to extend in order to catch these in the future in your 
opinion?_
   
   Obviously, my answer is no, but now I realize that CVE scanning is 
implemented probably via `.github/workflows/docker_scan.yml`:
   
   <img width="1573" height="825" alt="image" 
src="https://github.com/user-attachments/assets/83ad494d-228f-41b6-a5ad-759d706bda1f";
 />
   
   :bulb: @clolov My suggestion would be to raise awareness for the entire 
community: a simple paragraph (with a Github Actions daily build results URL) 
in a root README.md should do the trick. 
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to