[Snyk] Security upgrade org.apache.kafka:connect-json from 2.5.0 to 4.0.2

[snyk-io]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• hudi-kafka-connect/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924	170	org.apache.kafka:connect-json: 2.5.0 -> 4.0.2 Major version upgrade No Path Found Proof of Concept

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[snyk-io]

This is a major version upgrade from 2.5.0 to a version in the 4.x line, which does not officially exist for Apache Kafka. Assuming the upgrade targets the 3.x line, several breaking changes and important deprecations were introduced in Apache Kafka 3.0.0 that require attention.

Key Changes & Risks:

• Java 8 Deprecation: Support for Java 8 is deprecated in Kafka 3.0.0 and is planned for removal in the future Kafka 4.0.0. While not an immediate break, this is a critical consideration for future environment compatibility.
• Default Producer Behavior Change: The default delivery guarantee for producers is now acks=all (previously acks=1). This makes delivery guarantees stronger by default but may impact performance and application logic that relied on the previous default.
• Kafka Connect Client Override Policy: A significant breaking change in Kafka Connect is that the connector.client.config.override.policy property default has been changed to None. Previously, it was All, which allowed connector configurations to be overridden by the broker. Connectors relying on this override behavior will need to be reconfigured.
• Scala 2.12 Deprecation: Support for Scala 2.12 is also deprecated and planned for removal in Kafka 4.0.0.

Recommendation:

• Verify the target version of the upgrade, as 4.0.2 is not a standard Apache Kafka release. The analysis is based on the breaking changes introduced in the 3.0.0 release.
• Review connector configurations to ensure they do not rely on the previous default for connector.client.config.override.policy.
• Plan for a Java runtime upgrade to version 11 or later to align with the project's future direction.

Source: Apache Kafka 3.0.0 Release Notes

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.