MINOR: Update dependencies (minor versions only) #13673
Conversation
|
Thanks @divijvaidya I am wondering whether it is best to separate each upgrade on a separate PR? That makes each dependency update atomic and thus easier to revert in case we notice issue related to a specific dependency upgrade. What do you think? |
|
In relation to dependency upgrade, has there been any discussion around automated tooling e.g usage of dependabot or renovate? |
|
Thanks for your comment @machi1990. In principle what you say is right but given the limited committer bandwidth in the community, I am trying to optimize for code reviewer comfort right now. That is why I have intentionally added only the non-controversial upgrades here in the PR. In case of a need for rollback, we can always choose to roll-forward by modifying the version of a specific dependency. |
I don't know. I have seen @ijuma being the one who periodically performs dependency upgrades. He may be able to provide more info about this. Dependabot is a good idea (and some other Apache communities use it), except when it leads to noise. I don't know if there is a way to "mute" it and enable only at the beginning of a release cycle. |
Thanks, I'll be interested in any details that could be provided @ijuma
Yes, it is possible. With dependabot you can limit the number of PRs opened. Setting the limit to |
|
It's a good think to keep dependencies up to date |
| @@ -142,7 +142,7 @@ libs += [ | |||
| apachedsMavibotPartition: "org.apache.directory.server:apacheds-mavibot-partition:$versions.apacheds", | |||
| apachedsJdbmPartition: "org.apache.directory.server:apacheds-jdbm-partition:$versions.apacheds", | |||
| argparse4j: "net.sourceforge.argparse4j:argparse4j:$versions.argparse4j", | |||
| bcpkix: "org.bouncycastle:bcpkix-jdk15on:$versions.bcpkix", | |||
| bcpkix: "org.bouncycastle:bcpkix-jdk18on:$versions.bcpkix", | |||
There was a problem hiding this comment.
FYI, reviewers, this changes the version of bouncycaste which is compatible from JDK 1.8 onwards instead of earlier JDK 1.5.
divijvaidya
force-pushed
the
minor-spring-update
branch
from
a06ed26 to
e86380a
Compare
divijvaidya
force-pushed
the
minor-spring-update
branch
from
e86380a to
2f439c7
Compare
|
@ijuma, requesting your thoughts about merging this in. |
|
Failed tests are unrelated: |
All dependency upgrades in the PR are minor upgrades with backward compatible changes. Note that no major version for dependencies have been changed to make it a low risk change. No code changes are required for any of these dependencies. Reviewers: Luke Chen <[email protected]>
All dependency upgrades in the PR are minor upgrades with backward compatible changes. Note that no major version for dependencies have been changed to make it a low risk change. No code changes are required for any of these dependencies. Reviewers: Luke Chen <[email protected]>
|
backported to v3.5 and v3.4 |
Looks good. |
All dependency upgrades in the PR are minor upgrades with backward compatible changes. Note that no major version for dependencies have been changed to make it a low risk change. No code changes are required for any of these dependencies. There are separate PRs such as #13662 which will upgrade the major versions.
Release notes for dependencies:
bcpkix 1.70 -> 1.73
Release notes:
https://www.bouncycastle.org/releasenotes.html#r1rv72
https://www.bouncycastle.org/releasenotes.html#r1rv73
httpclient 4.5.13 -> 4.5.14
Some perf fixes, resource de-allocation fixes and no retry in case of NoRouteToHostException
Release notes: https://downloads.apache.org/httpcomponents/httpclient/RELEASE_NOTES-4.5.x.txt
jackson and jackson-databind 2.13.4 -> 2.13.5
Release notes: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13.5
javaassist 3.27.0-GA -> 3.29.2-GA
Release notes:
https://github.com/jboss-javassist/javassist/releases/tag/rel_3_29_2_ga
https://github.com/jboss-javassist/javassist/releases/tag/rel_3_29_1_ga
https://github.com/jboss-javassist/javassist/releases/tag/rel_3_29_0_ga
https://github.com/jboss-javassist/javassist/releases/tag/rel_3_28_0_ga
jetty 9.4.48.v20220622 -> 9.4.51.v20230217
Fixes CVE-2023-26048 and CVE-2023-26049
Release notes:
https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.50.v20221201
https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.49.v20220914
jersey 2.34 -> 2.39.1
Release notes:
https://github.com/eclipse-ee4j/jersey/releases/tag/2.39.1
https://github.com/eclipse-ee4j/jersey/releases/tag/2.39
https://github.com/eclipse-ee4j/jersey/releases/tag/2.38
https://github.com/eclipse-ee4j/jersey/releases/tag/2.37
https://github.com/eclipse-ee4j/jersey/releases/tag/2.36
https://github.com/eclipse-ee4j/jersey/releases/tag/2.35 (<- Adds JDK 16 support)
jline 3.21.0 -> 3.22.0
Bug fixes.
Breaking change (doesn't impact us) -
SyntaxHighlighterhas been moved fromorg.jline.builtins.Nano.SyntaxHighlightertoorg.jline.builtins.SyntaxHighlighterRelease notes: https://github.com/jline/jline3/releases/tag/jline-parent-3.22.0
jaxb 2.3.0 -> 2.3.1
Can't find release notes! But https://mvnrepository.com/artifact/javax.xml.bind/jaxb-api/2.3.1 is the latest version in maven.
netty 4.1.86.Final -> 4.1.92.Final
Release notes:
https://netty.io/news/2023/04/25/4-1-92-Final.html
https://netty.io/news/2023/04/03/4-1-91-Final.html
https://netty.io/news/2023/02/13/4-1-89-Final.html
https://netty.io/news/2023/02/12/4-1-88-Final.html
https://netty.io/news/2023/01/12/4-1-87-Final.html
reload4j 1.2.19 -> 1.2.25
Fixed a newly discovered XXE vector vulnerability reported against Chainsaw.
Performance improvements
Release notes: https://reload4j.qos.ch/news.html
scalaCollectionCompat 2.6.0 -> 2.10.0
Fixes CVE GHSA-8qv5-68g4-248j , new features (such as
Option.whenandIterator.nextOption) and perf improvements.Release notes:
https://github.com/scala/scala-collection-compat/releases/tag/v2.10.0
https://github.com/scala/scala-collection-compat/releases/tag/v2.9.0
https://github.com/scala/scala-collection-compat/releases/tag/v2.8.0
https://github.com/scala/scala-collection-compat/releases/tag/v2.7.0
Build and test dependencies
junit 5.9.2 -> 5.9.3
Minor bug fixes. Improvements associated with
@MethodSourceannotation.Release notes: https://junit.org/junit5/docs/current/release-notes/index.html#release-notes-5.9.3
jacoco 0.8.8 -> 0.8.10
Release notes:
https://github.com/jacoco/jacoco/releases/tag/v0.8.10
https://github.com/jacoco/jacoco/releases/tag/v0.8.9
scoverage 1.4.11 -> 1.9.3
Release notes:
https://github.com/scoverage/sbt-scoverage/releases?page=2
Compatibility