[Snyk] Fix for 1 vulnerabilities

[d4v1de]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551	721	com.fasterxml.jackson.dataformat:jackson-dataformat-csv: 2.16.2 -> 2.21.2 org.apache.kafka:connect-json: 3.9.1 -> 4.0.0 org.apache.kafka:connect-runtime: 3.9.1 -> 4.0.0 Major version upgrade No Known Exploit

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[d4v1de]

This set of upgrades includes a major version bump for Apache Kafka Connect, which introduces significant breaking changes requiring infrastructure and code modifications. The Jackson CSV upgrade also contains behavioral changes that warrant verification.

1. org.apache.kafka:connect-json / connect-runtime @ 3.9.1 → 4.0.0

Risk: HIGH

This major upgrade to Apache Kafka 4.0.0 requires significant planning and cannot be performed as a simple dependency bump. Key breaking changes include:

• Mandatory ZooKeeper Removal: Kafka 4.0.0 completely removes support for ZooKeeper. Clusters must be migrated to KRaft (Kafka Raft Metadata Mode) before upgrading to this version. [1, 2, 3] This is a substantial operational change to your Kafka infrastructure.
• Java 17 Required: Kafka Connect and its associated tools now require Java 17 to run, an increase from previous versions. [4] Your runtime environment must be updated to meet this requirement.
• Deprecated API Removal: APIs that were deprecated for over a year have been removed, in line with KIP-896. [1, 4] This includes methods within Kafka Streams like KStreams#transformValues(), which has been removed and must be replaced with KStreams#processValues(). [5]

Recommendation: Do not merge this upgrade without a comprehensive migration plan. The transition from ZooKeeper to KRaft and the required Java 17 update must be addressed first. Code using deprecated APIs will need to be refactored.

Source: Apache Kafka 4.0.0 Release Announcement, Migration Guide

2. com.fasterxml.jackson.dataformat:jackson-dataformat-csv @ 2.16.2 → 2.21.2

Risk: MEDIUM

This upgrade spans multiple minor versions and introduces several behavioral changes that could impact your application:

• Stricter Number Parsing: As of version 2.17, string values with leading zeroes (e.g., "07") are no longer automatically coerced into numbers. [25]
• Kotlin Support: Support for Kotlin 1.7.x was dropped in version 2.18. [26]
• Mapper Synchronization: Synchronization was removed from CsvMapper in version 2.18 to improve performance, which could affect thread-safety in certain use cases. [19]

Recommendation: Verify that your application is not reliant on the previous lenient parsing behaviors. If you are using Kotlin, ensure your version is 1.8 or higher. Review any multi-threaded use of CsvMapper to ensure it remains safe.

Source: Jackson Release Notes (2.17-2.21)

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.