Hi Tom, Sounds good to me, I can start with the 4.0.1 release. Regarding the 5.0 release, I am not super sure yet what to include. Since releasing always takes some effort, I would also be okay with doing the 5.0 release with incorporating Flink 2.1. The connector already offers a release that is compatible with Flink 2.0, and in theory, 2.1 should not introduce breaking changes that affect the connector.
Best, Fabian On Mon, Jul 28, 2025 at 11:03 AM Tom Cooper <c...@tomcooper.dev> wrote: > > Hi Fabian, > > You make a good point, as there are only dependency updates, a 4.0.1 release > makes more sense. > > At this point the 5.0 connector release could include the soon to be released > Kafka 4.0.1 client libraries (the RC for that is out already). > I assume we would want to leave the flink 2.1 upgrade to a future 5.1 release? > > Thanks for looking at this. > > Regards, > > Tom Cooper > @tomcooper.dev | https://tomcooper.dev > > > On Monday, 28 July 2025 at 09:51, Fabian Paul <fp...@apache.org> wrote: > > > Hi Tom, > > > > Thanks for starting this discussion. I think it's a good idea to do > > another 4.1.0 release before proceeding with 5.0 to offer a release > > with the vulnerability fixed without requiring users to upgrade to > > Kafka 4.0. Is there a reason you prefer to do the 4.1.0 release > > instead of the 4.0.1 release? I reviewed the changes between the > > current main and the release 4.0.0 [1], and they are mostly dependency > > upgrades and some fixes, but without any new features. What do you > > think about doing a 4.0.1 release and then kicking off 5.0.0 with the > > Kafka client upgrade? > > > > Best, > > Fabian > > > > [1] https://github.com/apache/flink-connector-kafka/compare/v4.0...main > > > > On Fri, Jul 25, 2025 at 11:58 AM Tom Cooper c...@tomcooper.dev wrote: > > > > > Bumping this thread as we are now ready to merge the Kafka 4.0.0 client > > > update PR [1]. This will bump the major version of the connector to 5.0, > > > as we are dropping support for Kafka brokers running version 2.0.0 or > > > earlier. > > > > > > However, I still think it would be worth doing a 4.1.0 release of the > > > connector (with the Kafka 3.9.1 client), before the Kafka 4.0.0 client > > > update is merged. > > > > > > The current Flink Kafka Connector (4.0) has a critical CVE [2], which is > > > patched in the 3.9.1 Kafka client library (which the current main branch > > > of the Flink connector is using). Doing a 4.1 release of the connector > > > would cover any users of older Kafka versions that want this CVE patched > > > and also give a stable release of the connector using a point release of > > > the Kafka client (with all the bug fixes that entails). This would be a > > > good option for users who don't want to jump straight onto the new major > > > Kafka client version. > > > > > > What do people think? > > > > > > Tom Cooper > > > @tomcooper.dev | https://tomcooper.dev > > > > > > [1] https://github.com/apache/flink-connector-kafka/pull/161 > > > [2] https://nvd.nist.gov/vuln/detail/CVE-2025-27817 > > > > > > On Wednesday, 9 July 2025 at 09:35, Tom Cooper c...@tomcooper.dev wrote: > > > > > > > Hi, > > > > > > > > I would like to start a conversation about releases for the Flink > > > > Connector Kafka project. > > > > > > > > We have recently updated [0] to version 3.9.1 of the Kafka client > > > > library, which fixes a critical CVE [1]. With that in mind, I think it > > > > would be prudent to have a 4.1.0 release as soon as possible that > > > > includes this. It would also be good to include the dependency bumps > > > > from this PR [2] in that release. > > > > > > > > With the 4.1.0 release out, we could then move to looking at the Kafka > > > > 4.0 upgrade (there is already a PR [3] for that). The main point with > > > > the Kafka 4.0 upgrade is that it drops support for Kafka brokers > > > > running version 2.0.0 and lower. Given this, I think it would make > > > > sense to move the Connector version to 5.0.0 and maybe even move to > > > > Flink 2.1.0 (which should be available in a month or so). This 5.0.0 > > > > release could also remove all the Zookeeper specific test infra and > > > > move to KRaft based clusters for testing. We could also move to a new, > > > > updated Flink Connector Parent pom version [4] which would harmonise > > > > the java versions and plugins with the main Flink project. > > > > > > > > I think, if the above is acceptable, that these changes warrant a major > > > > version bump. Users of older Kafka clusters would still be able to use > > > > 4.1.0 (which is an argument for making sure that release has the most > > > > up-to-date dependencies). > > > > > > > > Anyway, I would love to hear what the community think of the above. > > > > > > > > Thanks, > > > > > > > > Tom Cooper > > > > @tomcooper.dev | https://tomcooper.dev > > > > > > > > [0] https://github.com/apache/flink-connector-kafka/pull/180 > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2025-27817 > > > > [2] https://github.com/apache/flink-connector-kafka/pull/181 > > > > [3] https://github.com/apache/flink-connector-kafka/pull/161 > > > > [4] https://github.com/apache/flink-connector-shared-utils/pull/48
