Chore: Add constraint on Lz4-java dependency due to critical CVE-2025-12183 (#113)

Author: DibyojyotiS

build.gradle.kts

@@ -27,6 +27,17 @@ subprojects {
       apply(plugin = "org.hypertrace.code-style-plugin")
     }
   }
+
+  // Handle lz4-java redirect capability conflict:
+  // Sonatype added a redirect from org.lz4:lz4-java:1.8.1 -> at.yawk.lz4:lz4-java:1.8.1 to address CVE-2025-12183.
+  // Both artifacts declare the same capability, causing a conflict when upgrading from Kafka's org.lz4:lz4-java:1.8.0.
+  // This resolution strategy tells Gradle to automatically select the highest version when this conflict occurs.
+  configurations.all {
+    resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") {
+      select("at.yawk.lz4:lz4-java:1.8.1")
+      because("Both org.lz4 and at.yawk.lz4 provide lz4-java due to Sonatype redirect")
+    }
+  }
 }
 
 dependencyCheck {

kafka-bom/build.gradle.kts

@@ -25,7 +25,10 @@ dependencies {
     api("org.apache.commons:commons-lang3:3.18.0") {
       because("CVE-2025-48924 is fixed in 3.18.0")
     }
-
+    api("org.lz4:lz4-java:1.8.1") {
+      because("[https://nvd.nist.gov/vuln/detail/CVE-2025-12183] in org.lz4:lz4-java:1.8.0")
+      because("CVE-2025-12183 is fixed in 1.8.1")
+    }
 
     api("io.confluent:kafka-streams-avro-serde:$confluentVersion")
     api("io.confluent:kafka-protobuf-serializer:$confluentVersion")