I’m working on a project that uses Kafka Connect, specifically the connect-runtime version 3.8.1. Recently, I ran a security scan with Snyk, and it flagged a vulnerability in a transient dependency: org.eclipse.jetty:jetty-client:9.4.56.v20240826.
To address this, I’d like to upgrade the Jetty Client to a more secure version, like org.eclipse.jetty:jetty-client:12.0.12 or even higher. However, I’m not quite sure how to go about this while still using Kafka Connect Runtime.
Is there a way to force Kafka Connect to use a specific version of the Jetty Client? Can I do this with connect-runtime version 3.8.1 or 3.9.0? Any tips or advice on how to handle this dependency issue would be really helpful!
Thanks in advance for your help!
I’m working on a project that uses Kafka Connect, specifically the connect-runtime version 3.8.1. Recently, I ran a security scan with Snyk, and it flagged a vulnerability in a transient dependency: org.eclipse.jetty:jetty-client:9.4.56.v20240826.
To address this, I’d like to upgrade the Jetty Client to a more secure version, like org.eclipse.jetty:jetty-client:12.0.12 or even higher. However, I’m not quite sure how to go about this while still using Kafka Connect Runtime.
Is there a way to force Kafka Connect to use a specific version of the Jetty Client? Can I do this with connect-runtime version 3.8.1 or 3.9.0? Any tips or advice on how to handle this dependency issue would be really helpful!
Thanks in advance for your help!
Kafka 4.0 will use Jetty 12. It is expected to release in the next few weeks.
The reason that update was not made in the 3.X releases is for compatibility reasons. You can check the Kafka Improvement Proposal that highlights the required changes (KIP-1032) for updating that dependency.
You can also check the PR that did the Jetty update: https://github.com/apache/kafka/commit/bd6d0fbf3d6a2eee4703a4cfcaaa3d6c775c5681 You'll see it's not a trivial change. Depending on your expertise you could try applying it to a Kafka 3.X release. Otherwise the easiest might just be to wait a bit and adopt Kafka 4.0 when it releases.
