Upgrade pekko for CVE‐2025‐12183

[abscondment]

pekko pulls in the vulnerable org.lz4:lz4-java:1.8.0 dependency.

They have fixed this in the 1.4.0 milestone (apache/pekko#2539)

This ticket to track upgrading when possible.

[mkurz]

In main branch yes, upgrade.

In stable 3.0.x and 2.9.x branches we need to exclude "org.lz4" % "lz4-java" from the pekko dependencies and explicitly upgrade to "at.yawk.lz4" % "lz4-java" % "1.9.0"

[mkurz]

I will upgrade and push a new release next week.

[mkurz]

• [3.0.x] lz4-java 1.8.1 #13682

[rtyley]

I will upgrade and push a new release next week.

Hi @mkurz - does it look like you'll be able to make a v3 release containing this fix within the next few days?

Thanks for pointing out the config required to manually adopt the at.yawk.lz4) library by the way - we're just trying to plan (before Christmas!) whether we should roll out that config change to all our apps at the Guardian, or use the forthcoming Play release.

[mkurz]

I am doing a patch release until Thursday.