getting to kafka-client 3.9.1 with spring-boot-starter-parent

Looking at dependencies spring-boot-starter-parent references:

• org.springframework.kafka » spring-kafka @ 3.3.7
• org.apache.kafka » kafka-clients @ 3.9.1

However

• spring-kafka @ 3.3.7 utilizes kafka-clients @ 3.8.1

I tried to add an exclusion to force the newer kafka-client but 3.8.1 persist

    <!-- Kafka dependencies - the latest version 3.3.7 uses 3.8.1 of the kafka clients, which has a vulnerability, need to manually set and use 3.9.1 version-->
    <dependency>
        <groupId>org.springframework.kafka</groupId>
        <artifactId>spring-kafka</artifactId>
        <version>${spring-kafka.version}</version>
        <exclusions>
            <exclusion>
                <groupId>org.springframework.kafka</groupId>
                <artifactId>kafka-clients</artifactId>
            </exclusion>
        </exclusions>
    </dependency>
    <dependency>
        <groupId>org.apache.kafka</groupId>
        <artifactId>kafka-clients</artifactId>
        <version>${kafka-clients.version}</version>
    </dependency>

Which leaves me with this issue

Is there a better way to force the 3.9.1 across the board here?

Just went to https://start.spring.io/ and generated a new project with Spring for Apache Kafka. The pom looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.5.3</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>org.springframework.kafka.issue</groupId>
    <artifactId>spring-with-kafka-391</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>spring-with-kafka-391</name>
    <description>spring-with-kafka-391</description>
    <url/>
    <licenses>
        <license/>
    </licenses>
    <developers>
        <developer/>
    </developers>
    <scm>
        <connection/>
        <developerConnection/>
        <tag/>
        <url/>
    </scm>
    <properties>
        <java.version>17</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.kafka</groupId>
            <artifactId>spring-kafka</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.kafka</groupId>
            <artifactId>spring-kafka-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

Then I ran mvnw dependency:tree and cannot find any 3.8.1 in dependencies. So, I'm not sure what are those screenshots you show in your question. Perhaps that tool is not smart enough to resolve Spring Boot dependencies management properly.