You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jena.apache.org by Andy Seaborne <an...@apache.org> on 2020/11/12 17:54:19 UTC
dependabot results and
OK - I think it is tamed for now!
A lot of updates, nothing serious showing up. The build became unstable
due to trying to do too much in one go but should now be green - it is
at TravisCI.
Andy
== Process
dependabot is administered by the file
<root>/.github/dependabot.yml
Currently, set to run monthly.
There is no other setting for on/off; if it is there, dependabot runs
This is not all good; it runs for clones of the repo but they don't any
tidy and suppression of unwanted updates.
The "schedule" is required otherwise it could be manual and run from GH
UI via "Insights" -> "Dependency Graph" -> "Dependabot".
== This cycle
There are a couple for major upgrades highlighted:
* Lucene 7 -> 8
* org.osgi.core 5.0.0 -> 6.0.0
(nothing done about them)
Too near to a release for org.osgi.core and Lucene 7->8 is a major
decision and there is no rush that I'm aware of.
* jena-elephas : Uses hadoop 2, guava 11 - I hope I've told the
dependabot to ignore these.
It's the Guava bit that I'm unsure about as we have two different
dependencies.
== Things that broke:
GeoSPARQL
SIS 0.8 -> 1.0 : test failure
(left at 0.8, JENA-1996)
jena-sdb : hsql v2
Left at v1
== Notes
1/
Derby 10.15.x.y requires java9, so updated only as far as 10.14.x.y and
then dependabot asked to ignore the minor version.
(used for testing by jena-sdb by jena-geosparql)
2/
The updated shade plugin has some new warnings about overlapping files.
It looks safe, needs checking (and maybe there are shading transformers
to merge the files).
== Updates done
HttpClient to 4.5.13
commons-lang3 from 3.10 to 3.11
guava 29-jre to 30-jre (shaded)
spatial4j from 0.6 to 0.7
airline.version from 2.1.1 to 2.8.0
jts-core from 1.16.1 to 1.17.1
shiro from 1.5.1 to 1.7.0
jackson from 2.10.1 to 2.11.3
commons-codec 1.14 to 1.15
commons-io from 2.6 to 2.8.0
micrometer from 1.5.5 to 1.6.1
jcommander from 1.72 to 1.78
and plugins.
Andy
Re: dependabot results
Posted by Aaron Coburn <aa...@gmail.com>.
> BTW was there a particular fix in HttpClient 4.5.13 that you wanted?
>
There is a CVE for HttpClient before 4.5.13 related to a malformed
authority component
https://mail-archives.apache.org/mod_mbox/hc-httpclient-users/202010.mbox/%3C4202d88eabd0ad2a0287243b281cad1bd2b9b141.camel%40apache.org%3E
> Elsewhere [*], I have been through all the HTTP APIs in Jena, which have
> lots of history, restructured them to update the style (e.g.
> QueryExecutionHttp.Builder)
>
>
> It's java11 use java.net.http which I found to be easy to use. It has
> async support and internally it is truly async I/O inside.
>
> Andy
>
> [*] https://github.com/afs/jena-http
>
> > but hopefully this will make maintenance quite a lot easier going
> forward.
> >
> > Aaron
> >
> > On Thu, Nov 12, 2020, 12:54 Andy Seaborne <an...@apache.org> wrote:
> >
> >> OK - I think it is tamed for now!
> >>
> >> A lot of updates, nothing serious showing up. The build became unstable
> >> due to trying to do too much in one go but should now be green - it is
> >> at TravisCI.
> >>
> >> Andy
> >>
> >> == Process
> >>
> >> dependabot is administered by the file
> >>
> >> <root>/.github/dependabot.yml
> >>
> >> Currently, set to run monthly.
> >>
> >> There is no other setting for on/off; if it is there, dependabot runs
> >>
> >> This is not all good; it runs for clones of the repo but they don't any
> >> tidy and suppression of unwanted updates.
> >>
> >> The "schedule" is required otherwise it could be manual and run from GH
> >> UI via "Insights" -> "Dependency Graph" -> "Dependabot".
> >>
> >> == This cycle
> >>
> >> There are a couple for major upgrades highlighted:
> >>
> >> * Lucene 7 -> 8
> >> * org.osgi.core 5.0.0 -> 6.0.0
> >>
> >> (nothing done about them)
> >>
> >> Too near to a release for org.osgi.core and Lucene 7->8 is a major
> >> decision and there is no rush that I'm aware of.
> >>
> >> * jena-elephas : Uses hadoop 2, guava 11 - I hope I've told the
> >> dependabot to ignore these.
> >>
> >> It's the Guava bit that I'm unsure about as we have two different
> >> dependencies.
> >>
> >> == Things that broke:
> >>
> >> GeoSPARQL
> >> SIS 0.8 -> 1.0 : test failure
> >> (left at 0.8, JENA-1996)
> >>
> >> jena-sdb : hsql v2
> >> Left at v1
> >>
> >> == Notes
> >>
> >> 1/
> >> Derby 10.15.x.y requires java9, so updated only as far as 10.14.x.y and
> >> then dependabot asked to ignore the minor version.
> >> (used for testing by jena-sdb by jena-geosparql)
> >>
> >> 2/
> >> The updated shade plugin has some new warnings about overlapping files.
> >> It looks safe, needs checking (and maybe there are shading transformers
> >> to merge the files).
> >>
> >>
> >> == Updates done
> >>
> >> HttpClient to 4.5.13
> >> commons-lang3 from 3.10 to 3.11
> >> guava 29-jre to 30-jre (shaded)
> >> spatial4j from 0.6 to 0.7
> >> airline.version from 2.1.1 to 2.8.0
> >> jts-core from 1.16.1 to 1.17.1
> >> shiro from 1.5.1 to 1.7.0
> >> jackson from 2.10.1 to 2.11.3
> >> commons-codec 1.14 to 1.15
> >> commons-io from 2.6 to 2.8.0
> >> micrometer from 1.5.5 to 1.6.1
> >> jcommander from 1.72 to 1.78
> >>
> >> and plugins.
> >>
> >> Andy
> >>
> >
>
Re: dependabot results
Posted by Andy Seaborne <an...@apache.org>.
On 12/11/2020 23:56, Aaron Coburn wrote:
> Thanks, that was a bit of work from a question about just one dependency,
:-)
BTW was there a particular fix in HttpClient 4.5.13 that you wanted?
Elsewhere [*], I have been through all the HTTP APIs in Jena, which have
lots of history, restructured them to update the style (e.g.
QueryExecutionHttp.Builder)
It's java11 use java.net.http which I found to be easy to use. It has
async support and internally it is truly async I/O inside.
Andy
[*] https://github.com/afs/jena-http
> but hopefully this will make maintenance quite a lot easier going forward.
>
> Aaron
>
> On Thu, Nov 12, 2020, 12:54 Andy Seaborne <an...@apache.org> wrote:
>
>> OK - I think it is tamed for now!
>>
>> A lot of updates, nothing serious showing up. The build became unstable
>> due to trying to do too much in one go but should now be green - it is
>> at TravisCI.
>>
>> Andy
>>
>> == Process
>>
>> dependabot is administered by the file
>>
>> <root>/.github/dependabot.yml
>>
>> Currently, set to run monthly.
>>
>> There is no other setting for on/off; if it is there, dependabot runs
>>
>> This is not all good; it runs for clones of the repo but they don't any
>> tidy and suppression of unwanted updates.
>>
>> The "schedule" is required otherwise it could be manual and run from GH
>> UI via "Insights" -> "Dependency Graph" -> "Dependabot".
>>
>> == This cycle
>>
>> There are a couple for major upgrades highlighted:
>>
>> * Lucene 7 -> 8
>> * org.osgi.core 5.0.0 -> 6.0.0
>>
>> (nothing done about them)
>>
>> Too near to a release for org.osgi.core and Lucene 7->8 is a major
>> decision and there is no rush that I'm aware of.
>>
>> * jena-elephas : Uses hadoop 2, guava 11 - I hope I've told the
>> dependabot to ignore these.
>>
>> It's the Guava bit that I'm unsure about as we have two different
>> dependencies.
>>
>> == Things that broke:
>>
>> GeoSPARQL
>> SIS 0.8 -> 1.0 : test failure
>> (left at 0.8, JENA-1996)
>>
>> jena-sdb : hsql v2
>> Left at v1
>>
>> == Notes
>>
>> 1/
>> Derby 10.15.x.y requires java9, so updated only as far as 10.14.x.y and
>> then dependabot asked to ignore the minor version.
>> (used for testing by jena-sdb by jena-geosparql)
>>
>> 2/
>> The updated shade plugin has some new warnings about overlapping files.
>> It looks safe, needs checking (and maybe there are shading transformers
>> to merge the files).
>>
>>
>> == Updates done
>>
>> HttpClient to 4.5.13
>> commons-lang3 from 3.10 to 3.11
>> guava 29-jre to 30-jre (shaded)
>> spatial4j from 0.6 to 0.7
>> airline.version from 2.1.1 to 2.8.0
>> jts-core from 1.16.1 to 1.17.1
>> shiro from 1.5.1 to 1.7.0
>> jackson from 2.10.1 to 2.11.3
>> commons-codec 1.14 to 1.15
>> commons-io from 2.6 to 2.8.0
>> micrometer from 1.5.5 to 1.6.1
>> jcommander from 1.72 to 1.78
>>
>> and plugins.
>>
>> Andy
>>
>
Re: dependabot results and
Posted by Aaron Coburn <ac...@apache.org>.
Thanks, that was a bit of work from a question about just one dependency,
but hopefully this will make maintenance quite a lot easier going forward.
Aaron
On Thu, Nov 12, 2020, 12:54 Andy Seaborne <an...@apache.org> wrote:
> OK - I think it is tamed for now!
>
> A lot of updates, nothing serious showing up. The build became unstable
> due to trying to do too much in one go but should now be green - it is
> at TravisCI.
>
> Andy
>
> == Process
>
> dependabot is administered by the file
>
> <root>/.github/dependabot.yml
>
> Currently, set to run monthly.
>
> There is no other setting for on/off; if it is there, dependabot runs
>
> This is not all good; it runs for clones of the repo but they don't any
> tidy and suppression of unwanted updates.
>
> The "schedule" is required otherwise it could be manual and run from GH
> UI via "Insights" -> "Dependency Graph" -> "Dependabot".
>
> == This cycle
>
> There are a couple for major upgrades highlighted:
>
> * Lucene 7 -> 8
> * org.osgi.core 5.0.0 -> 6.0.0
>
> (nothing done about them)
>
> Too near to a release for org.osgi.core and Lucene 7->8 is a major
> decision and there is no rush that I'm aware of.
>
> * jena-elephas : Uses hadoop 2, guava 11 - I hope I've told the
> dependabot to ignore these.
>
> It's the Guava bit that I'm unsure about as we have two different
> dependencies.
>
> == Things that broke:
>
> GeoSPARQL
> SIS 0.8 -> 1.0 : test failure
> (left at 0.8, JENA-1996)
>
> jena-sdb : hsql v2
> Left at v1
>
> == Notes
>
> 1/
> Derby 10.15.x.y requires java9, so updated only as far as 10.14.x.y and
> then dependabot asked to ignore the minor version.
> (used for testing by jena-sdb by jena-geosparql)
>
> 2/
> The updated shade plugin has some new warnings about overlapping files.
> It looks safe, needs checking (and maybe there are shading transformers
> to merge the files).
>
>
> == Updates done
>
> HttpClient to 4.5.13
> commons-lang3 from 3.10 to 3.11
> guava 29-jre to 30-jre (shaded)
> spatial4j from 0.6 to 0.7
> airline.version from 2.1.1 to 2.8.0
> jts-core from 1.16.1 to 1.17.1
> shiro from 1.5.1 to 1.7.0
> jackson from 2.10.1 to 2.11.3
> commons-codec 1.14 to 1.15
> commons-io from 2.6 to 2.8.0
> micrometer from 1.5.5 to 1.6.1
> jcommander from 1.72 to 1.78
>
> and plugins.
>
> Andy
>