skaluva commented on PR #21035:
URL: https://github.com/apache/kafka/pull/21035#issuecomment-3686828648
> > 'org.lz4:lz4-java:1.8.1
>
> Simple example demonstrating the issue mentioned by @mimaison:
>
> ```
> plugins {
> id 'java'
> }
>
> repositories {
> mavenCentral()
> }
>
> dependencies {
> // (1) only -> success
> // (2) only -> error, but: capability conflict not expected
> // (3) only -> success
> // (1) + (2) -> error (expected?)
> // (1) + (3) -> error (capability conflict as expected)
> // (2) + (3) -> error (capability conflict as expected)
>
> // implementation 'org.lz4:lz4-java:1.8.0' // (1)
> implementation 'org.lz4:lz4-java:1.8.1' // (2)
> // implementation 'at.yawk.lz4:lz4-java:1.8.1' // (3)
> }
> ```
>
> If only `org.lz4:lz4-java:1.8.1` (2) is used, this unexpected build error
will occur:
>
> ```
> Could not determine the dependencies of task ':testlz4:compileJava'.
> > Could not resolve all dependencies for configuration
':testlz4:compileClasspath'.
> > Could not resolve org.lz4:lz4-java:1.8.1.
> Required by:
> project :testlz4
> > Module 'org.lz4:lz4-java' has been rejected:
> Cannot select module with conflict on capability
'org.lz4:lz4-java:1.8.1' also provided by
[at.yawk.lz4:lz4-java:1.8.1(apiElements)]
> > Could not resolve at.yawk.lz4:lz4-java:1.8.1.
> Required by:
> project :testlz4 > org.lz4:lz4-java:1.8.1
> > Module 'at.yawk.lz4:lz4-java' has been rejected:
> Cannot select module with conflict on capability
'org.lz4:lz4-java:1.8.1' also provided by [org.lz4:lz4-java:1.8.1(compile)]
> ```
>
> There might be an issue with the capability configuration together with
the relocation settings, which could be the reason for the problem.
I'm exactly facing this, struggling to switch this dependency with the new
group. But with the gradle capability feature, it works when i define like this:
```
dependencies {
implementation ("org.apache.kafka:kafka-clients:3.9.1"){
exclude group: "org.lz4", module:"lz4-java"
}
implementation "at.yawk.lz4:lz4-java:1.10.1" //group changed in newer
versions
}
configurations.configureEach {
resolutionStrategy {
// 1. Resolve capability conflict (CRITICAL)
capabilitiesResolution.withCapability("org.lz4:lz4-java") {
select("at.yawk.lz4:lz4-java:1.10.1")
because("CVE-2025-12183, CVE-2025-66566 – groupId migrated")
}
}
}
```
But in my case the problem is, all my consumers of my internal framework
(which uses above kafka-clients) are forced to define above logic to make it
work, which i didnt like. Hope in newer versions of kafka-clients, they update
their dependency graph with new group.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
