kirktrue commented on PR #21518: URL: https://github.com/apache/kafka/pull/21518#issuecomment-3930923806
Thanks for the PR @yykkibbb! We don't want to include jose4j as a dependency for the Kafka clients because: 1. To avoid size bloat of the clients JAR 2. Avoid introducing potentially incompatible versions of the library 3. Reduce the surface area for users in case of CVEs for jose4j or its dependencies jose4j is only included in the runtime when the OAuth classes are used by the broker. See [my comment on the corresponding Jira](https://issues.apache.org/jira/browse/KAFKA-20184?focusedCommentId=18059833&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-18059833). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
