Bump lz4-java to 1.10.2 for CVE-2025-12183 & CVE-2025-66566 fixes.

slfan1989 · slfan1989 · commit 805cd563bf01 · 2025-12-28T21:29:22.000+08:00
diff --git a/build.gradle b/build.gradle
@@ -370,7 +370,10 @@ project(':iceberg-core') {
       exclude group: 'org.tukaani' // xz compression is not supported
     }
 
-    implementation libs.aircompressor
+    implementation(libs.aircompressor) {
+      exclude group: 'org.lz4'
+    }
+    implementation libs.lz4Java
     implementation libs.httpcomponents.httpclient5
     implementation platform(libs.jackson.bom)
     implementation libs.jackson.core
@@ -1230,3 +1233,17 @@ project(':iceberg-bom') {
   // Needed to get the "faked" Scala artifacts into the bom
   javaPlatform { allowDependencies() }
 }
+
+subprojects {
+  if (project.name.startsWith('iceberg-spark') ||
+      project.name.startsWith('iceberg-flink') ||
+      project.name.startsWith('iceberg-kafka-connect')) {
+
+    configurations.all {
+      resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") {
+        select("at.yawk.lz4:lz4-java:0")
+        because("Fix lz4-java capability conflict from relocation and CVE fixes")
+      }
+    }
+  }
+}
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -72,6 +72,7 @@ junit = "5.14.1"
 junit-platform = "1.14.1"
 kafka = "3.9.1"
 kryo-shaded = "4.0.3"
+lz4Java = "1.10.2"
 microprofile-openapi-api = "3.1.2"
 mockito = "4.11.0"
 mockserver = "5.15.0"
@@ -162,6 +163,7 @@ kafka-clients = { module = "org.apache.kafka:kafka-clients", version.ref = "kafk
 kafka-connect-api = { module = "org.apache.kafka:connect-api", version.ref = "kafka" }
 kafka-connect-json = { module = "org.apache.kafka:connect-json", version.ref = "kafka" }
 kafka-connect-transforms = { module = "org.apache.kafka:connect-transforms", version.ref = "kafka" }
+lz4Java = { module = "at.yawk.lz4:lz4-java", version.ref = "lz4Java" }
 microprofile-openapi-api = { module = "org.eclipse.microprofile.openapi:microprofile-openapi-api", version.ref = "microprofile-openapi-api" }
 nessie-client = { module = "org.projectnessie.nessie:nessie-client", version.ref = "nessie" }
 netty-buffer = { module = "io.netty:netty-buffer", version.ref = "netty-buffer" }
