[
https://issues.apache.org/jira/browse/KAFKA-15138?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Joe DiPol updated KAFKA-15138:
------------------------------
Description:
If you look at
[https://repo1.maven.org/maven2/org/apache/kafka/kafka-clients/3.4.0/kafka-clients-3.4.0.pom]
You see that the dependencies for the compression libraries (like lz4-java) do
NOT have "{{{}<optional>true</optional>{}}}". That means that these libraries
are transitive dependencies which will be pulled (and potentially security
scanned) for any project that uses kafka-clients.
This is not correct. These compression libraries are optional and should not be
transitive dependencies of kafka-clients. Therefore the above pom should state
{{optional}} like:
{{
<dependency>
<groupId>org.lz4</groupId>
<artifactId>lz4-java</artifactId>
<version>1.8.0</version>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
}}
was:
If you look at
[https://repo1.maven.org/maven2/org/apache/kafka/kafka-clients/3.4.0/kafka-clients-3.4.0.pom]
You see that the dependencies for the compression libraries (like lz4-java) do
NOT have "{{{}<optional>true</optional>{}}}". That means that these libraries
are transitive dependencies which will be pulled (and potentially security
scanned) for any project that uses kafka-clients.
This is not correct. These compression libraries are optional and should not be
transitive dependencies of kafka-clients. Therefore the above pom should state
{{optional}} like:
{{{{<dependency>}}}}
{{{{ <groupId>org.lz4</groupId>}}}}
{{{{ <artifactId>lz4-java</artifactId>}}}}
{{{{ <version>1.8.0</version>}}}}
{{{{ <scope>runtime</scope>
}}}}{{{{ <optional>true</optional>}}}}
{{{{</dependency>}}}}
> Java kafka-clients compression dependencies should be optional
> --------------------------------------------------------------
>
> Key: KAFKA-15138
> URL: https://issues.apache.org/jira/browse/KAFKA-15138
> Project: Kafka
> Issue Type: Bug
> Components: clients
> Affects Versions: 3.4.0
> Reporter: Joe DiPol
> Priority: Major
>
> If you look at
> [https://repo1.maven.org/maven2/org/apache/kafka/kafka-clients/3.4.0/kafka-clients-3.4.0.pom]
> You see that the dependencies for the compression libraries (like lz4-java)
> do NOT have "{{{}<optional>true</optional>{}}}". That means that these
> libraries are transitive dependencies which will be pulled (and potentially
> security scanned) for any project that uses kafka-clients.
> This is not correct. These compression libraries are optional and should not
> be transitive dependencies of kafka-clients. Therefore the above pom should
> state {{optional}} like:
> {{
> <dependency>
> <groupId>org.lz4</groupId>
> <artifactId>lz4-java</artifactId>
> <version>1.8.0</version>
> <scope>runtime</scope>
> <optional>true</optional>
> </dependency>
> }}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
