Shawyeok commented on issue #22263: URL: https://github.com/apache/pulsar/issues/22263#issuecomment-2416378265
> > > @Shawyeok Because admin-api depends on client-api, some classes like `Auth` `MessageId` are defined in client-api. > > > > > > It looks like `pulsar-client-admin` just depends on it and not using it. > > On the client side, the only feature that depends on `protobuf` at runtime is `ProtobufSchema`. However, `pulsar-client-admin` does not provide related capabilities. Therefore, I think `pulsar-client-admin` can change to declare dependencies on protobuf in the `pom.xml`, similar to `pulsar-client`, instead of directly copying protobuf-related classes into the shaded jar. > > Thank you @Shawyeok , that's a correct observation, there are mistakes in how protobuf-java is included in the shaded clients. I'll look into resolving this problem while upgrading protobuf-java used by Pulsar to address [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8). Mailing list message is https://lists.apache.org/thread/73jk2mx4nj82kxwvwgcqz5m63scqcy2s. It should be possible to use Pulsar client with a client application provided protobuf-java version, as long as it's compatible at a very granular level. Since now we'll need to upgrade protobuf-java in Pulsar to 3.25.5, some client applications might break since protoc generated stubs are coupled to the version that they were generated with. It should be possible to allow the client application to use an older version (or a newer version in the future). Thanks @lhotari , I noticed this issue remain unresolved in recent LTS 4.0.0 release (candidate-1), so I opened a PR https://github.com/apache/pulsar/pull/23468 to address this. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
