Skip to content

Substitute org.lz4:lz4-java with at.yawk.lz4:lz4-java in all subprojects#39297

Open
sjvanrossum wants to merge 1 commit into
apache:masterfrom
sjvanrossum:lz4-java-substitution
Open

Substitute org.lz4:lz4-java with at.yawk.lz4:lz4-java in all subprojects#39297
sjvanrossum wants to merge 1 commit into
apache:masterfrom
sjvanrossum:lz4-java-substitution

Conversation

@sjvanrossum

Copy link
Copy Markdown
Contributor

Initially I ran into capability conflicts with #39284 and #39285 because Kafka 3.9.2 and up depend on at.yawk.lz4:lz4-java.
I figured I'd set up conflict resolution for org.lz4:lz4-java and at.yawk.lz4:lz4-java at the root, but realized that usage of org.lz4:lz4-java is undesirable to begin with because it's unmaintained and every version has known security vulnerabilities.
Capability conflict resolution isn't enough to replace every dependency (including transitive) on org.lz4:lz4-java, but this can be solved with dependency substitutions instead (including transitive). Building KafkaIO (prior to #39284) on its own does not trigger a capability conflict since no modules providing the org.lz4:lz4-java capability are requested by dependencies of KafkaIO.

KafkaIO specifies a compileOnly/provided dependency on Kafka client libraries so the substitution shouldn't propagate in any Beam artifacts, which means that users of KafkaIO are responsible for substituting org.lz4:lz4-java where/when applicable.
The substitution would be propagated in Beam artifacts with a direct or transitive implementation dependency on org.lz4:lz4-java, meaning that any dependency on Beam artifacts will transitively include at.yawk.lz4:lz4-java instead.

If the above is considered overly paranoid, then retaining the current resolution strategy while simplifying maintenance of capability conflict resolution for org.lz4:lz4-java looks something like this:

subprojects {
  configurations {
    configureEach {
      resolutionStrategy {
        capabilitiesResolution {
          withCapability("org.lz4:lz4-java") {
            selectHighestVersion()
          }
        }
      }
    }
  }
}

This would at least unburden contributors and maintainers from patching new capability conflicts when dependency upgrades replace org.lz4:lz4-java as is the case for #39284.


Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:

  • Mention the appropriate issue in your description (for example: addresses #123), if applicable. This will automatically add a link to the pull request in the issue. If you would like the issue to automatically close on merging the pull request, comment fixes #<ISSUE NUMBER> instead.
  • Update CHANGES.md with noteworthy changes.
  • If this contribution is large, please file an Apache Individual Contributor License Agreement.

See the Contributor Guide for more tips on how to make review process smoother.

To check the build health, please visit https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md

GitHub Actions Tests Status (on master branch)

Build python source distribution and wheels
Python tests
Java tests
Go tests

See CI.md for more information about GitHub Actions CI or the workflows README to see a list of phrases to trigger workflows.

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses security vulnerabilities and dependency conflicts associated with the unmaintained 'org.lz4:lz4-java' library. By enforcing a global dependency substitution, the project ensures that the more secure 'at.yawk.lz4:lz4-java' is used consistently, simplifying the build configuration and removing the need for manual conflict resolution in individual modules.

Highlights

  • Dependency Substitution: Implemented a global dependency substitution in the root build.gradle.kts to replace 'org.lz4:lz4-java' with 'at.yawk.lz4:lz4-java:1.10.1' across all subprojects.
  • Cleanup of Legacy Resolution: Removed redundant 'resolveCapabilitiesConflict' helper method and all associated manual capability conflict resolutions in various Flink runner and testing modules.
New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request simplifies dependency management by removing the custom resolveCapabilitiesConflict helper and its usages across multiple subprojects. Instead, it centralizes the substitution of org.lz4:lz4-java with at.yawk.lz4:lz4-java:1.10.1 globally in the root build.gradle.kts to address known vulnerabilities. The review feedback suggests optimizing build performance by applying this resolution strategy only to resolvable configurations and centralizing the version definition in gradle.properties for better maintainability.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread build.gradle.kts
Comment on lines +1062 to +1075
configureEach {
resolutionStrategy {
dependencySubstitution {
// Substitute dependencies (including transitive) on org.lz4:lz4-java regardless of capability conflicts.
// All published versions of org.lz4:lz4-java have known vulnerabilities.
// At present, all versions of at.yawk.lz4:lz4-java <1.10.1 have known vulnerabilities.
// Substituting org.lz4:lz4-java ensures that at.yawk.lz4:lz4-java is always selected.
// Gradle resolves version conflicts by selecting the highest version by default.
// Gradle only resolves capability conflicts when multiple modules provide the same capability.
// This would allow org.lz4:lz4-java to still be selected, which is undesirable because of vulnerabilities.
substitute(module("org.lz4:lz4-java")).using(module("at.yawk.lz4:lz4-java:1.10.1"))
}
}
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

There are two improvement opportunities in this block:

  1. Performance Optimization: Configuring the resolution strategy for every single configuration across all subprojects introduces unnecessary configuration overhead, especially for non-resolvable configurations (e.g., api, implementation, compileOnly). Restricting this to only resolvable configurations using isCanBeResolved improves build performance.
  2. Centralized Dependency Management: Hardcoding the version 1.10.1 directly in the root build script duplicates the dependency version definition and bypasses centralized dependency management. Defining this version in a centralized location (such as gradle.properties) and referencing it here using project.findProperty improves maintainability.
    configureEach {
      if (isCanBeResolved) {
        val lz4Version = project.findProperty("lz4.version") ?: "1.10.1"
        resolutionStrategy {
          dependencySubstitution {
            // Substitute dependencies (including transitive) on org.lz4:lz4-java regardless of capability conflicts.
            // All published versions of org.lz4:lz4-java have known vulnerabilities.
            // At present, all versions of at.yawk.lz4:lz4-java <1.10.1 have known vulnerabilities.
            // Substituting org.lz4:lz4-java ensures that at.yawk.lz4:lz4-java is always selected.
            // Gradle resolves version conflicts by selecting the highest version by default.
            // Gradle only resolves capability conflicts when multiple modules provide the same capability.
            // This would allow org.lz4:lz4-java to still be selected, which is undesirable because of vulnerabilities.
            substitute(module("org.lz4:lz4-java")).using(module("at.yawk.lz4:lz4-java:$lz4Version"))
          }
        }
      }
    }

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion 1 is not commonly applied as far as I can tell from other Gradle projects.
Suggestion 2 seems fair given that all versions are defined in BeamModulePlugin.groovy, but it doesn't look particularly elegant:

var lz4Java = (project.ext.get("library") as Map<String, Map<String, *>>).get("java")!!.get("lz4_java").toString()
subprojects {
  configurations {
    configureEach {
      resolutionStrategy {
        dependencySubstitution {
          // Substitute dependencies (including transitive) on org.lz4:lz4-java regardless of capability conflicts.
          // All published versions of org.lz4:lz4-java have known vulnerabilities.
          // At present, all versions of at.yawk.lz4:lz4-java <1.10.1 have known vulnerabilities.
          // Substituting org.lz4:lz4-java ensures that at.yawk.lz4:lz4-java is always selected.
          // Gradle resolves version conflicts by selecting the highest version by default.
          // Gradle only resolves capability conflicts when multiple modules provide the same capability.
          // This would allow org.lz4:lz4-java to still be selected, which is undesirable because of vulnerabilities.
          substitute(module("org.lz4:lz4-java")).using(module(lz4Java))
        }
      }
    }

@github-actions

Copy link
Copy Markdown
Contributor

Checks are failing. Will not request review until checks are succeeding. If you'd like to override that behavior, comment assign set of reviewers

@sjvanrossum

Copy link
Copy Markdown
Contributor Author

assign set of reviewers

@github-actions

Copy link
Copy Markdown
Contributor

Assigning reviewers:

R: @ahmedabu98 for label java.
R: @damccorm for label build.

Note: If you would like to opt out of this review, comment assign to next reviewer.

Available commands:

  • stop reviewer notifications - opt out of the automated review tooling
  • remind me after tests pass - tag the comment author after tests pass
  • waiting on author - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)

The PR bot will only process comments in the main thread (not review comments).

@sjvanrossum

Copy link
Copy Markdown
Contributor Author

Test failures seem to be caused by missing --add-opens in BigQueryIO tests for Arrow support.

Comment thread build.gradle.kts
}
}

subprojects {

@Abacn Abacn Jul 13, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The consideration I made capability resolution opt-in, instead of the default, in #39061 was to make sure we don't introduce new capability conflict in other Beam modules unintentionally. Because Gradle's resolutionStrategy.capabilitiesResolution.withCapability closure isn't transitive. i.e., downstream module compilation still need the same override. This was exactly what happens to beam-runners-flink-2.1 (after Flink 2.1 override "org.lz4:lz4-java" -> "at.yawk.lz4:lz4-java") and beam-examples-java (after Beam Flink runner override "org.lz4:lz4-java" -> "at.yawk.lz4:lz4-java")

Flink runner related components currently have this conflict due to Flink 2.1+ and Kafka 2.4 each have transitive dependency on 'org.lz4:lz4-java' capability from different packages

The bottom line is we don't propagate this conflict to user if they use a critical setup (Beam core + GCP dependencies + Dataflow runner)

I recommend we remain the opt-in mechism (use resolveCapabilitiesConflict in individual module), and if ever it propagates to (Beam core + GCP dependencies + Dataflow runner), we then need to bump their transitive dependency version to make sure there isn't capability conflict in the first place

It's fine to bump Beam's Kafka version requirement to 3.9.2, if it eliminates the capability conflict

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants