From d3da5da133f55477225a5f915815e237dd90d2bc Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Fri, 12 Dec 2025 17:42:15 +0530 Subject: [PATCH] Move the lz4 dependency conflict resolution strategy to kafka-bom --- build.gradle.kts | 11 ----------- kafka-bom/build.gradle.kts | 11 +++++++++++ 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/build.gradle.kts b/build.gradle.kts index 5013857..5df088b 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -27,17 +27,6 @@ subprojects { apply(plugin = "org.hypertrace.code-style-plugin") } } - - // Handle lz4-java redirect capability conflict: - // Sonatype added a redirect from org.lz4:lz4-java:1.8.1 -> at.yawk.lz4:lz4-java:1.8.1 to address CVE-2025-12183. - // Both artifacts declare the same capability, causing a conflict when upgrading from Kafka's org.lz4:lz4-java:1.8.0. - // This resolution strategy tells Gradle to automatically select the highest version when this conflict occurs. - configurations.all { - resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") { - select("at.yawk.lz4:lz4-java:1.8.1") - because("Both org.lz4 and at.yawk.lz4 provide lz4-java due to Sonatype redirect") - } - } } dependencyCheck { diff --git a/kafka-bom/build.gradle.kts b/kafka-bom/build.gradle.kts index da8deda..6ad42e5 100644 --- a/kafka-bom/build.gradle.kts +++ b/kafka-bom/build.gradle.kts @@ -40,3 +40,14 @@ dependencies { api("org.apache.avro:avro:1.12.0") } } + +// Handle lz4-java redirect capability conflict: +// Sonatype added a redirect from org.lz4:lz4-java:1.8.1 -> at.yawk.lz4:lz4-java:1.8.1 to address CVE-2025-12183. +// Both artifacts declare the same capability, causing a conflict when upgrading from Kafka's org.lz4:lz4-java:1.8.0. +// This resolution strategy tells Gradle to automatically select the highest version when this conflict occurs. +configurations.all { + resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") { + select("at.yawk.lz4:lz4-java:1.8.1") + because("Both org.lz4 and at.yawk.lz4 provide lz4-java due to Sonatype redirect") + } +} \ No newline at end of file