[Snyk] Security upgrade org.apache.kafka:connect-api from 3.9.1 to 4.2.0

[d4v1de]

Snyk has created this PR to fix 2 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Out-of-bounds Read SNYK-JAVA-ORGLZ4-14151788	654	org.apache.kafka:connect-api: 3.9.1 -> 4.2.0 Major version upgrade No Known Exploit
	Insertion of Sensitive Information Into Sent Data SNYK-JAVA-ORGLZ4-14219384	624	org.apache.kafka:connect-api: 3.9.1 -> 4.2.0 Major version upgrade No Known Exploit

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Out-of-bounds Read

[d4v1de]

This major version upgrade from a 3.x version to a 4.x version of Apache Kafka represents a significant architectural shift with substantial breaking changes. The provided versions 3.9.1 and 4.2.0 do not correspond to official Apache Kafka releases, but the jump from version 3 to 4 is the critical factor.

Key Breaking Changes in Apache Kafka 4.0:

• ZooKeeper Removal: Kafka 4.0 and later operate exclusively in KRaft mode, completely removing the dependency on Apache ZooKeeper for metadata management. This is a fundamental architectural change requiring a migration of cluster metadata from ZooKeeper to a KRaft quorum. All configurations related to zookeeper.connect are obsolete and must be replaced with KRaft controller configurations.
• Minimum Java Version: Kafka Brokers, Connect, and Tools now require a minimum of Java 17 to run. Kafka Clients and Streams require a minimum of Java 11.
• Removed REST Endpoint: The deprecated GET /connectors/{connector}/tasks-config endpoint in Kafka Connect has been removed. Code must be updated to use GET /connectors/{connector}/tasks instead.
• Client and Protocol Versions: Support for client protocol versions older than 2.1 has been removed. Clients must be upgraded to version 2.1 or higher before brokers are upgraded to 4.0.

Recommendation: This upgrade cannot be performed as a simple dependency bump. It requires a planned and careful migration of your entire Kafka cluster from a ZooKeeper-based architecture to the new KRaft-based architecture. You must review the official Apache Kafka upgrade and migration guides for version 4.0 before proceeding.

Source: Apache Kafka 4.0 Release Announcement, ZooKeeper to KRaft Migration Guide

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.