From 65987c72be26eb3b194432b7c765623e47ce1f70 Mon Sep 17 00:00:00 2001
From: Jeff Cantrill <jcantril@redhat.com>
Date: Thu, 26 Mar 2026 09:28:21 -0400
Subject: [PATCH] LOG-8971: update lz4_flex dependency to 0.11.6

---
 Cargo.lock | 18 ++++--------------
 Cargo.toml |  1 +
 2 files changed, 5 insertions(+), 14 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index f4d017832d237..f1b8340316ad1 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -5913,11 +5913,11 @@ dependencies = [
 
 [[package]]
 name = "lz4_flex"
-version = "0.11.3"
+version = "0.11.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75761162ae2b0e580d7e7c390558127e5f01b4194debd6221fd8c207fc80e3f5"
+checksum = "373f5eceeeab7925e0c1098212f2fbc4d416adec9d35051a6ab251e824c1854a"
 dependencies = [
- "twox-hash 1.6.3",
+ "twox-hash",
 ]
 
 [[package]]
@@ -11101,16 +11101,6 @@ dependencies = [
  "utf-8",
 ]
 
-[[package]]
-name = "twox-hash"
-version = "1.6.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "97fee6b57c6a41524a810daee9286c02d7752c4253064d0b05472833a438f675"
-dependencies = [
- "cfg-if",
- "static_assertions",
-]
-
 [[package]]
 name = "twox-hash"
 version = "2.1.0"
@@ -11900,7 +11890,7 @@ dependencies = [
  "tokio-util",
  "tower",
  "tracing 0.1.41",
- "twox-hash 2.1.0",
+ "twox-hash",
  "vector-common",
  "vector-core",
 ]
diff --git a/Cargo.toml b/Cargo.toml
index 8322a7ceeb45c..5f1fd5b5cce49 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -147,6 +147,7 @@ hickory-proto = { version = "0.25.1", default-features = false, features = ["dns
 indexmap = { version = "2.9.0", default-features = false, features = ["serde", "std"] }
 inventory = { version = "0.3" }
 indoc = { version = "2.0.6" }
+lz4_flex = "0.11.6"  # Fix for LOG-8971: GHSA-vvp9-7p8x-rfvv - Memory disclosure vulnerability
 metrics = "0.24.2"
 metrics-tracing-context = { version = "0.17.0", default-features = false }
 metrics-util = { version = "0.18.0", default-features = false, features = ["registry"] }