Hi, I would like to start a conversation about releases for the Flink Connector Kafka project.
We have recently updated [0] to version 3.9.1 of the Kafka client library, which fixes a critical CVE [1]. With that in mind, I think it would be prudent to have a 4.1.0 release as soon as possible that includes this. It would also be good to include the dependency bumps from this PR [2] in that release. With the 4.1.0 release out, we could then move to looking at the Kafka 4.0 upgrade (there is already a PR [3] for that). The main point with the Kafka 4.0 upgrade is that it drops support for Kafka brokers running version 2.0.0 and lower. Given this, I think it would make sense to move the Connector version to 5.0.0 and maybe even move to Flink 2.1.0 (which should be available in a month or so). This 5.0.0 release could also remove all the Zookeeper specific test infra and move to KRaft based clusters for testing. We could also move to a new, updated Flink Connector Parent pom version [4] which would harmonise the java versions and plugins with the main Flink project. I think, if the above is acceptable, that these changes warrant a major version bump. Users of older Kafka clusters would still be able to use 4.1.0 (which is an argument for making sure that release has the most up-to-date dependencies). Anyway, I would love to hear what the community think of the above. Thanks, Tom Cooper @tomcooper.dev | https://tomcooper.dev [0] https://github.com/apache/flink-connector-kafka/pull/180 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-27817 [2] https://github.com/apache/flink-connector-kafka/pull/181 [3] https://github.com/apache/flink-connector-kafka/pull/161 [4] https://github.com/apache/flink-connector-shared-utils/pull/48
