Hi Fabian, You make a good point, as there are only dependency updates, a 4.0.1 release makes more sense.
At this point the 5.0 connector release could include the soon to be released Kafka 4.0.1 client libraries (the RC for that is out already). I assume we would want to leave the flink 2.1 upgrade to a future 5.1 release? Thanks for looking at this. Regards, Tom Cooper @tomcooper.dev | https://tomcooper.dev On Monday, 28 July 2025 at 09:51, Fabian Paul <fp...@apache.org> wrote: > Hi Tom, > > Thanks for starting this discussion. I think it's a good idea to do > another 4.1.0 release before proceeding with 5.0 to offer a release > with the vulnerability fixed without requiring users to upgrade to > Kafka 4.0. Is there a reason you prefer to do the 4.1.0 release > instead of the 4.0.1 release? I reviewed the changes between the > current main and the release 4.0.0 [1], and they are mostly dependency > upgrades and some fixes, but without any new features. What do you > think about doing a 4.0.1 release and then kicking off 5.0.0 with the > Kafka client upgrade? > > Best, > Fabian > > [1] https://github.com/apache/flink-connector-kafka/compare/v4.0...main > > On Fri, Jul 25, 2025 at 11:58 AM Tom Cooper c...@tomcooper.dev wrote: > > > Bumping this thread as we are now ready to merge the Kafka 4.0.0 client > > update PR [1]. This will bump the major version of the connector to 5.0, as > > we are dropping support for Kafka brokers running version 2.0.0 or earlier. > > > > However, I still think it would be worth doing a 4.1.0 release of the > > connector (with the Kafka 3.9.1 client), before the Kafka 4.0.0 client > > update is merged. > > > > The current Flink Kafka Connector (4.0) has a critical CVE [2], which is > > patched in the 3.9.1 Kafka client library (which the current main branch of > > the Flink connector is using). Doing a 4.1 release of the connector would > > cover any users of older Kafka versions that want this CVE patched and also > > give a stable release of the connector using a point release of the Kafka > > client (with all the bug fixes that entails). This would be a good option > > for users who don't want to jump straight onto the new major Kafka client > > version. > > > > What do people think? > > > > Tom Cooper > > @tomcooper.dev | https://tomcooper.dev > > > > [1] https://github.com/apache/flink-connector-kafka/pull/161 > > [2] https://nvd.nist.gov/vuln/detail/CVE-2025-27817 > > > > On Wednesday, 9 July 2025 at 09:35, Tom Cooper c...@tomcooper.dev wrote: > > > > > Hi, > > > > > > I would like to start a conversation about releases for the Flink > > > Connector Kafka project. > > > > > > We have recently updated [0] to version 3.9.1 of the Kafka client > > > library, which fixes a critical CVE [1]. With that in mind, I think it > > > would be prudent to have a 4.1.0 release as soon as possible that > > > includes this. It would also be good to include the dependency bumps from > > > this PR [2] in that release. > > > > > > With the 4.1.0 release out, we could then move to looking at the Kafka > > > 4.0 upgrade (there is already a PR [3] for that). The main point with the > > > Kafka 4.0 upgrade is that it drops support for Kafka brokers running > > > version 2.0.0 and lower. Given this, I think it would make sense to move > > > the Connector version to 5.0.0 and maybe even move to Flink 2.1.0 (which > > > should be available in a month or so). This 5.0.0 release could also > > > remove all the Zookeeper specific test infra and move to KRaft based > > > clusters for testing. We could also move to a new, updated Flink > > > Connector Parent pom version [4] which would harmonise the java versions > > > and plugins with the main Flink project. > > > > > > I think, if the above is acceptable, that these changes warrant a major > > > version bump. Users of older Kafka clusters would still be able to use > > > 4.1.0 (which is an argument for making sure that release has the most > > > up-to-date dependencies). > > > > > > Anyway, I would love to hear what the community think of the above. > > > > > > Thanks, > > > > > > Tom Cooper > > > @tomcooper.dev | https://tomcooper.dev > > > > > > [0] https://github.com/apache/flink-connector-kafka/pull/180 > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2025-27817 > > > [2] https://github.com/apache/flink-connector-kafka/pull/181 > > > [3] https://github.com/apache/flink-connector-kafka/pull/161 > > > [4] https://github.com/apache/flink-connector-shared-utils/pull/48
