-
Bug
-
Resolution: Won't Do
-
Critical
-
None
-
7.13.0.GA
-
None
-
False
-
None
-
False
-
Release Notes
-
-
-
-
-
-
CR1
-
Workaround Exists
-
-
---
-
---
Kafka-clients dependency version for Kogito Spring Boot is by default managed by org.springframework.boot:spring-boot-dependencies BOM.
Depending on which Spring Boot version is used users might end up with unsupported or vulnerable version of kafka-clients. Goal is to be in sync with versions of kafka-clients dependency released by AMQ Streams.
- spring-boot-dependencies:2.5.12 (latest RH supported release) brings in version of kafka-clients:2.7.2, which is vulnerable to RHPAM-3940
- spring-boot-dependencies:2.6.6 (currently configured in community) brings in version of kafka-clients:3.0.1, which is not a RH supported version.
We need to override default dependency in our kogito-spring-boot-bom to make sure we stick to expected kafka-clients version.
In case of Quarkus, kafka-clients version is correctly managed by quarkus-bom (using version supported by AMQ Streams 2.1). So we probably don't want to override dependencyManagement there, rather synchronize between runtimes.
- is related to
-
-
- Closed
-