From e0cf2bd07a7ef7613e267effb9ab102110a6fc3f Mon Sep 17 00:00:00 2001
From: nlou9 <nlou@confluent.io>
Date: Wed, 29 Apr 2026 15:00:30 -0700
Subject: [PATCH 1/3] feat: import confluent-common-bom for dependency version
 management

Replace individual dependencyManagement entries with a single
confluent-common-bom import for third-party dependencies. This
delegates version management to the BOM while keeping all properties
for downstream repo backward compatibility.

Deps removed (now managed by BOM): avro, classgraph, commons-io,
commons-lang3, commons-beanutils, commons-codec, commons-compress,
commons-validator, grpc-bom, okio-jvm, protobuf-java, snakeyaml,
jetty-bom, snappy-java, jose4j, guava, httpclient5, slf4j-api,
jaxb-api, spotbugs-annotations, bcpkix-jdk18on, bcprov-jdk18on,
bc-fips, bctls-fips, bcpkix-fips, bcutil-fips, gson, netty-bom,
slf4j-reload4j, logback-core, reload4j, logredactor, junit,
easymock, powermock-*.

Deps kept (not in BOM): jackson-bom, aws-java-sdk-bom, aws-sdk-v2,
azure-*, scala-*, kafka-*, confluent internal modules, junit-bom,
mockito-bom, mockito-all, hamcrest-all, log4j-slf4j-impl (runtime scope).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 pom.xml | 262 +++++---------------------------------------------------
 1 file changed, 21 insertions(+), 241 deletions(-)

diff --git a/pom.xml b/pom.xml
index 40615a0069..8c80018f19 100644
--- a/pom.xml
+++ b/pom.xml
@@ -232,117 +232,24 @@
 
     <dependencyManagement>
         <dependencies>
-            <!-- our deps-->
+            <!-- Confluent Common BOM - manages third-party dependency versions -->
             <dependency>
-              <groupId>org.apache.avro</groupId>
-              <artifactId>avro</artifactId>
-              <version>${avro.version}</version>
-            </dependency>
-            <!-- Pin the classgraph version to match version used in ce-kafka.
-            The outadated version is brought by schema-registry transitive
-            dependency mbknor-jackson -->
-            <dependency>
-                <groupId>io.github.classgraph</groupId>
-                <artifactId>classgraph</artifactId>
-                <version>${classgraph.version}</version>
-            </dependency>
-            <!-- Unify version of commons-io with ce-kafka, allow downstream repos to unpin -->
-            <dependency>
-                <groupId>commons-io</groupId>
-                <artifactId>commons-io</artifactId>
-                <version>${commons-io.version}</version>
-            </dependency>
-            <!-- Unify version of commons-lang3 with ce-kafka, allow downstream repos to unpin -->
-            <dependency>
-                <groupId>org.apache.commons</groupId>
-                <artifactId>commons-lang3</artifactId>
-                <version>${commons-lang3.version}</version>
-            </dependency>
-            <!-- Pin version of commons-beanutils as it is used transitively not only by commons-validator -->
-            <dependency>
-                <groupId>commons-beanutils</groupId>
-                <artifactId>commons-beanutils</artifactId>
-                <version>${commons-beanutils.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>commons-codec</groupId>
-                <artifactId>commons-codec</artifactId>
-                <version>${commons-codec.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.apache.commons</groupId>
-                <artifactId>commons-compress</artifactId>
-                <version>${commons-compress.version}</version>
-            </dependency>
-            <!-- Unify version of commons-validator with ce-kafka, allow downstream repos to unpin -->
-            <dependency>
-                <groupId>commons-validator</groupId>
-                <artifactId>commons-validator</artifactId>
-                <version>${commons-validator.version}</version>
-            </dependency>
-            <!-- Unify version of grpc-version with ce-kafka, allow downstream repos to unpin -->
-            <dependency>
-                <groupId>io.grpc</groupId>
-                <artifactId>grpc-bom</artifactId>
-                <version>1.75.0</version>
-                <type>pom</type>
-                <scope>import</scope>
-            </dependency>
-            <!-- This is to match to okio version used in ce-flink / ce-kafka 7.8  -->
-            <dependency>
-                <groupId>com.squareup.okio</groupId>
-                <artifactId>okio-jvm</artifactId>
-                <version>${okio.version}</version>
-            </dependency>
-            <!-- This is to unify the version of Protocol Buffers across CP -->
-            <dependency>
-                <groupId>com.google.protobuf</groupId>
-                <artifactId>protobuf-java</artifactId>
-                <version>${protobuf.version}</version>
-            </dependency>
-            <!-- snakeyaml is brought in by several confluent libraries
-                 as "provided" dependency, thus leading to usage of
-                 outdated versions. This instructs projects using this pom
-                 to use this snakeyaml version, unless otherwise overriden.
-                 After this change, we should remove all the snakeyaml re-definitions
-                 in other Confluent repositories. -->
-            <dependency>
-                <groupId>org.yaml</groupId>
-                <artifactId>snakeyaml</artifactId>
-                <version>${snakeyaml.version}</version>
-            </dependency>
-            <!-- Unify jetty across CP, remove jetty definition from
-            rest-utils after this goes through -->
-            <dependency>
-                <groupId>org.eclipse.jetty</groupId>
-                <artifactId>jetty-bom</artifactId>
-                <version>${jetty.version}</version>
+                <groupId>io.confluent</groupId>
+                <artifactId>confluent-common-bom</artifactId>
+                <version>0.0.1-SNAPSHOT</version>
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
-            <!-- snappy-java is brought in by kafka-clients and its version is specified
-            in ce-kafka -->
-            <dependency>
-                <groupId>org.xerial.snappy</groupId>
-                <artifactId>snappy-java</artifactId>
-                <version>${snappy.version}</version>
-            </dependency>
-            <!-- jose4j is used in ce-kafka and its version is specified
-            in ce-kafka, this is for maven projects to use the correct version -->
-            <dependency>
-                <groupId>org.bitbucket.b_c</groupId>
-                <artifactId>jose4j</artifactId>
-                <version>${jose4j.version}</version>
-            </dependency>
-            <!-- we define guava version above, its version is specified
-            in ce-kafka, this is for maven projects to use the correct version -->
+
+            <!-- Jackson BOM - not yet in confluent-common-bom -->
             <dependency>
-                <groupId>com.google.guava</groupId>
-                <artifactId>guava</artifactId>
-                <version>${guava.version}</version>
+              <groupId>com.fasterxml.jackson</groupId>
+              <artifactId>jackson-bom</artifactId>
+              <version>${jackson.version}</version>
+              <scope>import</scope>
+              <type>pom</type>
             </dependency>
-            <!-- we define aws-java-sdk azure-identity and azure-storage-blob
-            versions, to match the versions in ce-kafka -->
+            <!-- AWS SDKs - not in confluent-common-bom -->
             <dependency>
                 <groupId>com.amazonaws</groupId>
                 <artifactId>aws-java-sdk-bom</artifactId>
@@ -357,6 +264,7 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
+            <!-- Azure - not in confluent-common-bom (BOM uses azure-sdk-bom instead) -->
             <dependency>
                 <groupId>com.azure</groupId>
                 <artifactId>azure-identity</artifactId>
@@ -372,73 +280,16 @@
                 <artifactId>azure-security-keyvault-keys</artifactId>
                 <version>${azure-security-keyvault-keys.version}</version>
             </dependency>
-            <!-- specify version of httpclient5 that is used in ce-kafka for compatibility in maven builds -->
-            <dependency>
-                <groupId>org.apache.httpcomponents.client5</groupId>
-                <artifactId>httpclient5</artifactId>
-                <version>${httpclient5.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.slf4j</groupId>
-                <artifactId>slf4j-api</artifactId>
-                <version>${slf4j.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>javax.xml.bind</groupId>
-                <artifactId>jaxb-api</artifactId>
-                <version>${jaxb.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>com.github.spotbugs</groupId>
-                <artifactId>spotbugs-annotations</artifactId>
-                <version>${spotbugs.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.bouncycastle</groupId>
-                <artifactId>bcpkix-jdk18on</artifactId>
-                <version>${bouncycastle.jdk18.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.bouncycastle</groupId>
-                <artifactId>bcprov-jdk18on</artifactId>
-                <version>${bouncycastle.jdk18.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.bouncycastle</groupId>
-                <artifactId>bc-fips</artifactId>
-                <version>${bouncycastle.fips.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.bouncycastle</groupId>
-                <artifactId>bctls-fips</artifactId>
-                <version>${bouncycastle.tls-fips.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.bouncycastle</groupId>
-                <artifactId>bcpkix-fips</artifactId>
-                <version>${bouncycastle.bcpkix-fips.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.bouncycastle</groupId>
-                <artifactId>bcutil-fips</artifactId>
-                <version>${bouncycastle.bcutil-fips.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>com.google.code.gson</groupId>
-                <artifactId>gson</artifactId>
-                <version>${gson.version}</version>
-            </dependency>
 
-            <!-- Jackson artifacts with individual versioning -->
+            <!-- log4j-slf4j-impl: keep for runtime scope (BOM does not set scope) -->
             <dependency>
-              <groupId>com.fasterxml.jackson</groupId>
-              <artifactId>jackson-bom</artifactId>
-              <version>${jackson.version}</version>
-              <scope>import</scope>
-              <type>pom</type>
+                <groupId>org.apache.logging.log4j</groupId>
+                <artifactId>log4j-slf4j-impl</artifactId>
+                <scope>runtime</scope>
+                <version>${log4j2.version}</version>
             </dependency>
-            <!-- We fix the scala version to prevent downstream projects from bringing in
-            different minor versions of Scala via different dependencies -->
+
+            <!-- Scala - not in confluent-common-bom -->
             <dependency>
                 <groupId>org.scala-lang</groupId>
                 <artifactId>scala-library</artifactId>
@@ -497,42 +348,7 @@
                 <artifactId>connect-file</artifactId>
                 <version>${kafka.version}</version>
             </dependency>
-            <dependency>
-                <groupId>org.slf4j</groupId>
-                <artifactId>slf4j-reload4j</artifactId>
-                <version>${slf4j-reload4j.version}</version>
-            </dependency>
-            <!-- add version definition of logback that is
-            a transitive dependency of ce-kafka -> resource manager
-            This is needed as maven brings back dependency excluded in bazel -->
-            <dependency>
-                <groupId>ch.qos.logback</groupId>
-                <artifactId>logback-core</artifactId>
-                <version>${logback-core.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.apache.logging.log4j</groupId>
-                <artifactId>log4j-slf4j-impl</artifactId>
-                <scope>runtime</scope>
-                <version>${log4j2.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>ch.qos.reload4j</groupId>
-                <artifactId>reload4j</artifactId>
-                <version>${reload4j.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>io.confluent</groupId>
-                <artifactId>logredactor</artifactId>
-                <version>${logredactor.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>io.netty</groupId>
-                <artifactId>netty-bom</artifactId>
-                <version>${netty.version}</version>
-                <scope>import</scope>
-                <type>pom</type>
-            </dependency>
+
             <!--this is our own artifacts, but lets others inherit-->
             <dependency>
                 <groupId>io.confluent</groupId>
@@ -551,12 +367,6 @@
             </dependency>
 
             <!--test deps-->
-            <dependency>
-                <groupId>junit</groupId>
-                <artifactId>junit</artifactId>
-                <version>${junit.version}</version>
-                <scope>test</scope>
-            </dependency>
             <dependency>
                 <groupId>org.junit</groupId>
                 <artifactId>junit-bom</artifactId>
@@ -564,36 +374,6 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
-            <dependency>
-                <groupId>org.easymock</groupId>
-                <artifactId>easymock</artifactId>
-                <version>${easymock.version}</version>
-                <scope>test</scope>
-            </dependency>
-            <dependency>
-                <groupId>org.powermock</groupId>
-                <artifactId>powermock-module-junit4</artifactId>
-                <version>${powermock.version}</version>
-                <scope>test</scope>
-            </dependency>
-            <dependency>
-                <groupId>org.powermock</groupId>
-                <artifactId>powermock-core</artifactId>
-                <version>${powermock.version}</version>
-                <scope>test</scope>
-            </dependency>
-            <dependency>
-                <groupId>org.powermock</groupId>
-                <artifactId>powermock-api-easymock</artifactId>
-                <version>${powermock.version}</version>
-                <scope>test</scope>
-            </dependency>
-            <dependency>
-                <groupId>org.powermock</groupId>
-                <artifactId>powermock-api-mockito2</artifactId>
-                <version>${powermock.version}</version>
-                <scope>test</scope>
-            </dependency>
             <dependency>
                 <groupId>org.mockito</groupId>
                 <artifactId>mockito-bom</artifactId>

From fb24a18fde94063a999d4e8fc456b41584a89b2e Mon Sep 17 00:00:00 2001
From: nlou9 <nlou@confluent.io>
Date: Wed, 29 Apr 2026 15:31:24 -0700
Subject: [PATCH 2/3] fix: add confluent-common-bom snapshot repository

Add CodeArtifact repository entry so Maven can resolve
confluent-common-bom:0.0.1-SNAPSHOT during CI builds.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 pom.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pom.xml b/pom.xml
index 8c80018f19..ca78cb104d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -221,6 +221,13 @@
             <id>confluent</id>
             <url>https://packages.confluent.io/maven/</url>
         </repository>
+        <repository>
+            <id>confluent-common-bom-snapshots</id>
+            <url>https://confluent-519856050701.d.codeartifact.us-west-2.amazonaws.com/maven/maven-snapshots/</url>
+            <snapshots>
+                <enabled>true</enabled>
+            </snapshots>
+        </repository>
     </repositories>
 
     <pluginRepositories>

From eda1693c874016447ff7e636f897ae8afcb21060 Mon Sep 17 00:00:00 2001
From: nlou9 <nlou@confluent.io>
Date: Wed, 29 Apr 2026 15:43:02 -0700
Subject: [PATCH 3/3] revert: remove internal CodeArtifact repo entry from
 public pom.xml

The BOM resolution needs to be handled via CI Maven settings,
not in the public pom.xml.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 pom.xml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/pom.xml b/pom.xml
index ca78cb104d..8c80018f19 100644
--- a/pom.xml
+++ b/pom.xml
@@ -221,13 +221,6 @@
             <id>confluent</id>
             <url>https://packages.confluent.io/maven/</url>
         </repository>
-        <repository>
-            <id>confluent-common-bom-snapshots</id>
-            <url>https://confluent-519856050701.d.codeartifact.us-west-2.amazonaws.com/maven/maven-snapshots/</url>
-            <snapshots>
-                <enabled>true</enabled>
-            </snapshots>
-        </repository>
     </repositories>
 
     <pluginRepositories>