lz4-java vuln remediation 1/23/26 (#5567)

bdoyle0182 · Brendan Doyle · web-flow · commit 3d28212ee547 · 2026-01-23T13:20:29.000-08:00
Co-authored-by: Brendan Doyle &lt;brendand@qualtrics.com&gt;
diff --git a/common/scala/build.gradle b/common/scala/build.gradle
@@ -206,4 +206,10 @@ configurations {
         exclude group: 'commons-logging'
         exclude group: 'log4j'
     }
+    all {
+        resolutionStrategy.dependencySubstitution {
+            // CVE-2025-12183, CVE-2025-66566: org.lz4:lz4-java relocated to at.yawk.lz4 transitive dependency of kafka-clients
+            substitute module('org.lz4:lz4-java') using module('at.yawk.lz4:lz4-java:1.10.3')
+        }
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -206,4 +206,10 @@ configurations {`
`206`	`206`	`exclude group: 'commons-logging'`
`207`	`207`	`exclude group: 'log4j'`
`208`	`208`	`}`
	`209`	`+ all {`
	`210`	`+ resolutionStrategy.dependencySubstitution {`
	`211`	`+ // CVE-2025-12183, CVE-2025-66566: org.lz4:lz4-java relocated to at.yawk.lz4 transitive dependency of kafka-clients`
	`212`	`+ substitute module('org.lz4:lz4-java') using module('at.yawk.lz4:lz4-java:1.10.3')`
	`213`	`+ }`
	`214`	`+ }`
`209`	`215`	`}`