Skip to content

chore(deps): bump io.strimzi:kafka-oauth-common from 0.15.0 to 0.16.2 #2163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

chore(deps): bump io.strimzi:kafka-oauth-common from 0.15.0 to 0.16.2 #2163

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Apr 21, 2025

Bumps io.strimzi:kafka-oauth-common from 0.15.0 to 0.16.2.

Release notes

Sourced from io.strimzi:kafka-oauth-common's releases.

0.16.2

Main Changes since 0.16.1

Properly fixed version of json-smart transitive dependency for third parties (#266)

Properly bumped json-smart version to 2.5.2 in order to address CVE-2024-57699 brought in by JsonPath 2.9.0. It also fixes json-smart version being pulled in for third party projects using OAuth project’s artifacts.

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.16.2 milestone.

0.16.2-rc1

Main Changes since 0.16.1

Properly fixed version of json-smart transitive dependency for third parties (#266)

Properly bumped json-smart version to 2.5.2 in order to address CVE-2024-57699 brought in by JsonPath 2.9.0. It also fixes json-smart version being pulled in for third party projects using OAuth project’s artifacts.

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.16.2 milestone.

Staging repository

To test the release, use the staging repository by including the following in your pom.xml:

  <repositories>
    <repository>
      <id>staging</id>
      <url>https://oss.sonatype.org/content/repositories/iostrimzi-1263</url>
    </repository>
  </repositories>

0.16.1

Main Changes since 0.16.0

Unsuccessfully bumped json-smart version to 2.5.2

Unsuccessfully bumped json-smart version to 2.5.2 in order to address CVE-2024-57699 brought in by JsonPath 2.9.0. It does not fix json-smart version 2.5.0 being pulled in for third party projects using OAuth project’s artifacts. Users should wait for 0.16.2 with a proper fix and ignore the 0.16.1.

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.16.1 milestone.

0.16.1-rc1

Main Changes since 0.16.0

Bumped json-smart version to 2.5.2

Addressed the CVE-2024-57699 brought in via JsonPath 2.9.0

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.16.1 milestone.

Staging repository

... (truncated)

Changelog

Sourced from io.strimzi:kafka-oauth-common's changelog.

0.16.2

Properly override json-smart version to 2.5.2 to address CVE-2024-57699 warnings

The version override in 0.16.1 was inadequate. It didn't work for third party components using the OAuth components. They would still transitively bring in net.minidev:json-smart version 2.5.0.

0.16.1

Override json-smart version to 2.5.2 to address CVE-2024-57699 warnings

net.minidev:json-smart is a transitive dependency pulled in by com.jayway.jsonpath:json-path. There is a PR open at JsonPath project json-path/JsonPath#1030 Once the new version of JsonPath is released, with the fixed dependency, we can remove the override.

0.16.0

Using Kafka 4.0.0

Kafka 4.0.0 server-side libraries are built with Java 17 bytecode compatibility. The client libraries are still built with Java 11 bytecode compatibility.

Java 17 required for building the project

Java 17 is now required for building the project libraries. The example clients and the testsuite can also run with Java 11. All the components are built with Java 11 bytecode compatibility except kafka-oauth-keycloak-authorizer which requires Java 17 due to the dependency on server-side Kafka 4.0.0 libraries.

Removed support for KeycloakAuthorizer ACL delegation in Zookeeper mode

KeycloakAuthorizer can be configured to delegate authorization decision to standard ACL authorizer provided by Kafka. Since Zookeeper mode is no longer supported, the ACL authorizer delegation only works if the Kafka node runs in KRaft mode. If KeycloakAuthorizer is deployed to Kafka running in Zookeeper mode, and strimzi.authorization.delegate.to.kafka.acl is set to true, the broker will fail to start.

Kafka 4.x users should upgrade to this OAuth version (0.16.0). Kafka 3.x users can also use this OAuth version in both Kraft or Zookeeper mode, but if they use KeycloakAuthorizer with ACL delegation, that will not work in Zookeeper mode.

Added a test and a fix for 'Overflow parsing timestamps in oauth JWTs as 32 bit int'

See #260

Commits
  • 923af2c Prepare for 0.16.2 release
  • a3a58f9 Properly fix version of json-smart transitive dependency for third parties (#...
  • 12c393c Bump json-smart version to 2.5.2 (#265)
  • 786412d Remove any Zookeeper specific functionality and dependencies (#264)
  • a7b81eb A test and a fix for #260 - Int overrun parsing EXP and IAT from JWT token (#...
  • a4b7a7a Remove Java 8 support + move the testsuite from Travis to Azure (#261)
  • 951c407 Bump dependencies versions in examples and testsuite, and some cleanup (#259)
  • 6271236 Update default testsuite kafka image to 0.45.0-kafka-3.9.0 (#258)
  • 46f34a9 Improve kerberos tests in testsuite to work with Podman (#257)
  • 45eb5ec Added Kate Stanley as new maintainer (#255)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump io.strimzi:kafka-oauth-common from 0.15.0 to 0.16.2
f469506 
Bumps [io.strimzi:kafka-oauth-common](https://github.com/strimzi/strimzi-kafka-oauth) from 0.15.0 to 0.16.2.
- [Release notes](https://github.com/strimzi/strimzi-kafka-oauth/releases)
- [Changelog](https://github.com/strimzi/strimzi-kafka-oauth/blob/main/RELEASE_NOTES.md)
- [Commits](strimzi/strimzi-kafka-oauth@0.15.0...0.16.2)

---
updated-dependencies:
- dependency-name: io.strimzi:kafka-oauth-common
  dependency-version: 0.16.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependency-upgrade Pull requests that update a dependency file label Apr 21, 2025
@dependabot dependabot bot mentioned this pull request Apr 21, 2025
Closed
@github-project-automation github-project-automation bot moved this to Backlog in Backlog Apr 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependency-upgrade Pull requests that update a dependency file
Projects
Backlog
Status: Backlog
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants