[fix][sec] Override kafka-clients in kinesis-kpl-shaded to remediate CVE-2024-31141 and CVE-2025-27817

[guptas6est]

Fixes #xyz

Main Issue: #xyz

PIP: #xyz

Motivation

This PR addresses two medium-severity CVEs affecting the transitive dependency org.apache.kafka:kafka-clients used in the pulsar-io/kinesis-kpl-shaded module.

Vulnerabilities remediated:

• CVE-2024-31141 – Privilege escalation to filesystem read-access via automatic ConfigProvider
• CVE-2025-27817 – Kafka Client Arbitrary File Read SSRF

Modifications

Explicitly added org.apache.kafka:kafka-clients dependency under dependencyManagement to enforce a safe, fixed version across transitive usages.

Verifying this change

• Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

• Added integration tests for end-to-end deployment with large payloads (10MB)
• Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

• Dependencies (add or upgrade a dependency)
• The public API
• The schema
• The default values of configurations
• The threading model
• The binary protocol
• The REST endpoints
• The admin CLI options
• The metrics
• Anything that affects deployment

Documentation

• doc
• doc-required
• doc-not-needed
• doc-complete

Matching PR in forked repository

PR in forked repository:

[lhotari]

This PR addresses two medium-severity CVEs affecting the transitive dependency org.apache.kafka:kafka-clients used in the pulsar-io/kinesis-kpl-shaded module.

This change seems to be unnecessary since the kafka-clients version is already enforced by

pulsar/pulsar-io/kinesis/pom.xml

Lines 40 to 49 in 95c1dab

	<dependencyManagement>
	<dependencies>
	<!-- enforce kafka client version that gets pulled transitively -->
	<dependency>
	<groupId>org.apache.kafka</groupId>
	<artifactId>kafka-clients</artifactId>
	<version>${kafka-client.version}</version>
	</dependency>
	</dependencies>
	</dependencyManagement>

. The kinesis-kpl-shaded dependency isn't intended to be used externally. It's only used for the Kinesis IO connector.

[guptas6est]

Thanks for the clarification, @lhotari. I made this change because the Trivy scan showed two CVEs in org.apache.kafka:kafka-clients under the pulsar-io/kinesis-kpl-shaded module.

I added the same version override here to make sure the CVEs were fixed, as it looked like the version from pulsar-io/kinesis wasn’t being applied to kinesis-kpl-shaded. This was mainly to keep the versions consistent and clear the security warnings.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.26%. Comparing base (402ed5b) to head (00bb273).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #24935      +/-   ##
============================================
- Coverage     74.28%   74.26%   -0.02%     
- Complexity    33886    33890       +4     
============================================
  Files          1913     1913              
  Lines        149425   149425              
  Branches      17358    17358              
============================================
- Hits         111001   110975      -26     
- Misses        29572    29592      +20     
- Partials       8852     8858       +6     

Flag	Coverage Δ
inttests	26.14% <ø> (-0.10%)	⬇️
systests	22.74% <ø> (-0.03%)	⬇️
unittests	73.80% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 83 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.