org.lz4:lz4-java has been discontinued:

Note: The official lz4-java project has been discontinued. A community fork is available [here](https://github.com/yawkat/lz4-java). To address [CVE-2025-12183](https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183), Sonatype has added a redirect from org.lz4:lz4-java:1.8.1 to the new group ID.

It currently has two vulnerabilities - CVE-2025-12183 & CVE-2025-66566

There's also an open issue about this in aircompressor -
but the version referenced there (1.10.0, from the at.yawk.lz4:lz4-java fork) still has CVE-2025-66566.

The latest version - at.yawk.lz4:lz4-java:1.10.2 - has no known vulnerabilities:

• https://ossindex.sonatype.org/component/pkg:maven/at.yawk.lz4/lz4-java@1.10.2
• https://mvnrepository.com/artifact/at.yawk.lz4/lz4-java/1.10.2

The update should be a drop-in replacement, and should be backported to 2.x to support Java 8-21.