From a21925210189cb52c171568a6d07aa6ee5b37c8d Mon Sep 17 00:00:00 2001
From: Erik Anderson <4634290+erikanderson@users.noreply.github.com>
Date: Mon, 1 Dec 2025 19:55:01 -0500
Subject: [PATCH 1/8] Update lz4 dependency version

Updated lz4 dependency version from 1.8.0 to 1.8.1. For https://nvd.nist.gov/vuln/detail/CVE-2025-12183
---
 gradle/dependencies.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 53ee210c50c8c..37dbddf948179 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -108,7 +108,7 @@ versions += [
   kafka_41: "4.1.1",
   log4j2: "2.25.1",
   // When updating lz4 make sure the compression levels in org.apache.kafka.common.record.CompressionType are still valid
-  lz4: "1.8.0",
+  lz4: "1.8.1",
   mavenArtifact: "3.9.6",
   metrics: "2.2.0",
   mockito: "5.20.0",

From bb9f8175d155980ef322972d1fa756b80fd2cf20 Mon Sep 17 00:00:00 2001
From: Erik Anderson <erik@Eriks-MacBook-Air-M2.local>
Date: Tue, 2 Dec 2025 11:10:01 -0500
Subject: [PATCH 2/8] Updated license binary for lz4

---
 LICENSE-binary | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LICENSE-binary b/LICENSE-binary
index f991bd9ddc49a..974e1b468f073 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -242,7 +242,7 @@ License Version 2.0:
 - log4j-core-2.25.1
 - log4j-slf4j-impl-2.25.1
 - log4j-1.2-api-2.25.1
-- lz4-java-1.8.0
+- lz4-java-1.8.1
 - maven-artifact-3.9.6
 - metrics-core-2.2.0
 - opentelemetry-proto-1.3.2-alpha

From 51c520e90c0892bc68e0393a0903029c5381690a Mon Sep 17 00:00:00 2001
From: Erik Anderson <erikanderson753@gmail.com>
Date: Tue, 2 Dec 2025 12:08:13 -0500
Subject: [PATCH 3/8] Update gav for lz4

---
 gradle/dependencies.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 37dbddf948179..9952b4871b77a 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -211,7 +211,7 @@ libs += [
   log4j1Bridge2Api: "org.apache.logging.log4j:log4j-1.2-api:$versions.log4j2",
   log4j2Api: "org.apache.logging.log4j:log4j-api:$versions.log4j2",
   log4j2Core: "org.apache.logging.log4j:log4j-core:$versions.log4j2",
-  lz4: "org.lz4:lz4-java:$versions.lz4",
+  lz4: "at.yawk.lz4:lz4-java:$versions.lz4",
   metrics: "com.yammer.metrics:metrics-core:$versions.metrics",
   mockitoCore: "org.mockito:mockito-core:$versions.mockito",
   mockitoJunitJupiter: "org.mockito:mockito-junit-jupiter:$versions.mockito",

From 6b96154e24e3bc464ed43108a14d59d22dbc3174 Mon Sep 17 00:00:00 2001
From: Erik Anderson <erikanderson753@gmail.com>
Date: Tue, 2 Dec 2025 15:13:30 -0500
Subject: [PATCH 4/8] Add ref to lz4 constants

---
 gradle/dependencies.gradle | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 9952b4871b77a..0c064501f0ce7 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -108,6 +108,7 @@ versions += [
   kafka_41: "4.1.1",
   log4j2: "2.25.1",
   // When updating lz4 make sure the compression levels in org.apache.kafka.common.record.CompressionType are still valid
+  // https://github.com/yawkat/lz4-java/blob/main/src/java/net/jpountz/lz4/LZ4Constants.java#L23-L24
   lz4: "1.8.1",
   mavenArtifact: "3.9.6",
   metrics: "2.2.0",

From 088e16c3414553f80faf2f03bcc25926f7a650d7 Mon Sep 17 00:00:00 2001
From: Erik Anderson <erikanderson753@gmail.com>
Date: Wed, 3 Dec 2025 09:44:55 -0500
Subject: [PATCH 5/8] Add comment to compression type ref for lz4

---
 gradle/dependencies.gradle | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 0c064501f0ce7..342ba271e3877 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -108,6 +108,7 @@ versions += [
   kafka_41: "4.1.1",
   log4j2: "2.25.1",
   // When updating lz4 make sure the compression levels in org.apache.kafka.common.record.CompressionType are still valid
+  // https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/record/CompressionType.java#L73-L74
   // https://github.com/yawkat/lz4-java/blob/main/src/java/net/jpountz/lz4/LZ4Constants.java#L23-L24
   lz4: "1.8.1",
   mavenArtifact: "3.9.6",

From cd8be9e4951627b9f7e9032ba8f86b2075fb7ad4 Mon Sep 17 00:00:00 2001
From: Chia-Ping Tsai <chia7712@gmail.com>
Date: Fri, 5 Dec 2025 10:22:49 +0800
Subject: [PATCH 6/8] use 1.10.0 instead

---
 LICENSE-binary             | 2 +-
 gradle/dependencies.gradle | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/LICENSE-binary b/LICENSE-binary
index 974e1b468f073..41c0635c33d77 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -242,7 +242,7 @@ License Version 2.0:
 - log4j-core-2.25.1
 - log4j-slf4j-impl-2.25.1
 - log4j-1.2-api-2.25.1
-- lz4-java-1.8.1
+- lz4-java-1.10.0
 - maven-artifact-3.9.6
 - metrics-core-2.2.0
 - opentelemetry-proto-1.3.2-alpha
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 342ba271e3877..0197e58b62fc6 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -110,7 +110,7 @@ versions += [
   // When updating lz4 make sure the compression levels in org.apache.kafka.common.record.CompressionType are still valid
   // https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/record/CompressionType.java#L73-L74
   // https://github.com/yawkat/lz4-java/blob/main/src/java/net/jpountz/lz4/LZ4Constants.java#L23-L24
-  lz4: "1.8.1",
+  lz4: "1.10.0",
   mavenArtifact: "3.9.6",
   metrics: "2.2.0",
   mockito: "5.20.0",

From 949e90a34e5a222116e424b194f2a865b12ee860 Mon Sep 17 00:00:00 2001
From: Erik Anderson <erikanderson753@gmail.com>
Date: Fri, 5 Dec 2025 09:31:06 -0500
Subject: [PATCH 7/8] Update lz4-java for CVE-2025-66566

---
 LICENSE-binary             | 2 +-
 gradle/dependencies.gradle | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/LICENSE-binary b/LICENSE-binary
index 41c0635c33d77..2340186d035bd 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -242,7 +242,7 @@ License Version 2.0:
 - log4j-core-2.25.1
 - log4j-slf4j-impl-2.25.1
 - log4j-1.2-api-2.25.1
-- lz4-java-1.10.0
+- lz4-java-1.10.1
 - maven-artifact-3.9.6
 - metrics-core-2.2.0
 - opentelemetry-proto-1.3.2-alpha
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 0197e58b62fc6..6426c9f28bb50 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -110,7 +110,7 @@ versions += [
   // When updating lz4 make sure the compression levels in org.apache.kafka.common.record.CompressionType are still valid
   // https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/record/CompressionType.java#L73-L74
   // https://github.com/yawkat/lz4-java/blob/main/src/java/net/jpountz/lz4/LZ4Constants.java#L23-L24
-  lz4: "1.10.0",
+  lz4: "1.10.1",
   mavenArtifact: "3.9.6",
   metrics: "2.2.0",
   mockito: "5.20.0",

From 1fd78dd3c5094d03d7c20ff4a7628c8d9136b847 Mon Sep 17 00:00:00 2001
From: Mickael Maison <mickael.maison@gmail.com>
Date: Mon, 8 Dec 2025 11:09:20 +0100
Subject: [PATCH 8/8] Update NOTICE-binary

---
 NOTICE-binary | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NOTICE-binary b/NOTICE-binary
index b625e142293ad..00b25d5d3f3bd 100644
--- a/NOTICE-binary
+++ b/NOTICE-binary
@@ -687,7 +687,7 @@ and decompression library written by Adrien Grand. It can be obtained at:
   * LICENSE:
     * license/LICENSE.lz4.txt (Apache License 2.0)
   * HOMEPAGE:
-    * https://github.com/jpountz/lz4-java
+    * https://github.com/yawkat/lz4-java
 
 This product optionally depends on 'lzma-java', a LZMA Java compression
 and decompression library, which can be obtained at: