Recent downstream versions of io.quarkus:quarkus-bom manage org.lz4:lz4-java at version 1.7.1.redhat-00003:

• https://maven.repository.redhat.com/ga/io/quarkus/quarkus-bom/2.2.3.Final-redhat-00013/quarkus-bom-2.2.3.Final-redhat-00013.pom
• and the same in 2.2.5.CR1 https://download.eng.bos.redhat.com/rcm-guest/staging/quarkus/quarkus-2.2.5.CR2/

org.lz4:lz4-java is not managed in the underlying upstream versions

• https://repo1.maven.org/maven2/io/quarkus/quarkus-bom/2.2.5.Final/quarkus-bom-2.2.5.Final.pom
• https://repo1.maven.org/maven2/io/quarkus/quarkus-bom/2.2.3.Final/quarkus-bom-2.2.3.Final.pom

So the change must have happened in the product branch or perhaps during productization.

I wonder whether an equivalent change should not have been ported to upstream main and 2.7 branches at least to ensure forward compatibility for the end users?
Not porting to main actually violates the "Upstream first" sustaining engineering rule.

The bottom line is that by not getting lz4-java managed via Quarkus BOM, we get an older version 1.6.0 via kafka-clients in the upstream.