Update Kafka version to 3.4.0 in Spring-kafka

[sourabhsparkala]

Spring-kafka 3.0.2

Kafka Connect brings in CVE-2023-25194 for Kafka versions < 3.4.0

The question is to check if Spring-kafka can be updated to the latest version of Kafka 3.4.0?
Would it cause any regressions?

[garyrussell]

Yes, you can use 3.4.0; see https://docs.spring.io/spring-kafka/docs/3.0.3-SNAPSHOT/reference/html/#update-deps

Although the doc also shows 3.0.3-SNAPSHOT, no changes were necessary to use the new version.

However, the vulnerability applies only to Kafka Connect, which is not used by this project, so it is only an issue if you use this project and Kafka Connect in the same application.

[garyrussell]

We cannot change the version used by this project (except to future 3.3.x versions) because Spring versioning rules don't allow it. We would have to create a whole new version of this project just for that, which is not practical.

[labulalala]

Yes, you can use 3.4.0; see https://docs.spring.io/spring-kafka/docs/3.0.3-SNAPSHOT/reference/html/#update-deps

Although the doc also shows 3.0.3-SNAPSHOT, no changes were necessary to use the new version.

However, the vulnerability applies only to Kafka Connect, which is not used by this project, so it is only an issue if you use this project and Kafka Connect in the same application.

Hi @garyrussell , I upgrade to kakfa-clients 3.4.0, but when I run my test with spring-kafka-test 2.8.11 I got the error "java.lang.NoClassDefFoundError: kafka/api/ApiVersion". Do I have to use version 3.x.x of spring-kafka-test if I use kafka-clients 3.4.0 ?

[garyrussell]

@labulalala 2.8.x is out of OSS support: https://spring.io/projects/spring-kafka#support

Use 2.9.x with Boot 2.7.x and 3.0.x with Boot 3.0.x.

2.9.5 or later is required to use the 3.4.0 clients, and all spring-kafka* jars must be the same version and all *kafka* jars must be the same version (3.4.0). See https://stackoverflow.com/questions/75458160/updating-kafka-version-over-3-2-3-crashes-embeddedkafka-unit-tests/75461868#75461868

[garyrussell]

If you are not using Spring Boot, you must override all the kafka dependencies brought in by spring-kafka-test:

[copbint]

will spring boot 2.7.x upgrade spring-kafka to 2.9.x ?

[labulalala]

@garyrussell Thank you very much! It solves the problem

[garyrussell]

@copbint No. Spring versioning rules only allow them to upgrade to new patch release versions in their patch releases (2.7.x). They are not allowed to upgrade dependencies to a new minor or major version.

SK 2.9.x is fully compatible with Boot 2.7.x and overriding its prescribed version is quite easy.