You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jena.apache.org by Andy Seaborne <an...@apache.org> on 2020/11/15 14:46:53 UTC
Re: dependabot results
On 12/11/2020 23:56, Aaron Coburn wrote:
> Thanks, that was a bit of work from a question about just one dependency,
:-)
BTW was there a particular fix in HttpClient 4.5.13 that you wanted?
Elsewhere [*], I have been through all the HTTP APIs in Jena, which have
lots of history, restructured them to update the style (e.g.
QueryExecutionHttp.Builder)
It's java11 use java.net.http which I found to be easy to use. It has
async support and internally it is truly async I/O inside.
Andy
[*] https://github.com/afs/jena-http
> but hopefully this will make maintenance quite a lot easier going forward.
>
> Aaron
>
> On Thu, Nov 12, 2020, 12:54 Andy Seaborne <an...@apache.org> wrote:
>
>> OK - I think it is tamed for now!
>>
>> A lot of updates, nothing serious showing up. The build became unstable
>> due to trying to do too much in one go but should now be green - it is
>> at TravisCI.
>>
>> Andy
>>
>> == Process
>>
>> dependabot is administered by the file
>>
>> <root>/.github/dependabot.yml
>>
>> Currently, set to run monthly.
>>
>> There is no other setting for on/off; if it is there, dependabot runs
>>
>> This is not all good; it runs for clones of the repo but they don't any
>> tidy and suppression of unwanted updates.
>>
>> The "schedule" is required otherwise it could be manual and run from GH
>> UI via "Insights" -> "Dependency Graph" -> "Dependabot".
>>
>> == This cycle
>>
>> There are a couple for major upgrades highlighted:
>>
>> * Lucene 7 -> 8
>> * org.osgi.core 5.0.0 -> 6.0.0
>>
>> (nothing done about them)
>>
>> Too near to a release for org.osgi.core and Lucene 7->8 is a major
>> decision and there is no rush that I'm aware of.
>>
>> * jena-elephas : Uses hadoop 2, guava 11 - I hope I've told the
>> dependabot to ignore these.
>>
>> It's the Guava bit that I'm unsure about as we have two different
>> dependencies.
>>
>> == Things that broke:
>>
>> GeoSPARQL
>> SIS 0.8 -> 1.0 : test failure
>> (left at 0.8, JENA-1996)
>>
>> jena-sdb : hsql v2
>> Left at v1
>>
>> == Notes
>>
>> 1/
>> Derby 10.15.x.y requires java9, so updated only as far as 10.14.x.y and
>> then dependabot asked to ignore the minor version.
>> (used for testing by jena-sdb by jena-geosparql)
>>
>> 2/
>> The updated shade plugin has some new warnings about overlapping files.
>> It looks safe, needs checking (and maybe there are shading transformers
>> to merge the files).
>>
>>
>> == Updates done
>>
>> HttpClient to 4.5.13
>> commons-lang3 from 3.10 to 3.11
>> guava 29-jre to 30-jre (shaded)
>> spatial4j from 0.6 to 0.7
>> airline.version from 2.1.1 to 2.8.0
>> jts-core from 1.16.1 to 1.17.1
>> shiro from 1.5.1 to 1.7.0
>> jackson from 2.10.1 to 2.11.3
>> commons-codec 1.14 to 1.15
>> commons-io from 2.6 to 2.8.0
>> micrometer from 1.5.5 to 1.6.1
>> jcommander from 1.72 to 1.78
>>
>> and plugins.
>>
>> Andy
>>
>
Re: dependabot results
Posted by Aaron Coburn <aa...@gmail.com>.
> BTW was there a particular fix in HttpClient 4.5.13 that you wanted?
>
There is a CVE for HttpClient before 4.5.13 related to a malformed
authority component
https://mail-archives.apache.org/mod_mbox/hc-httpclient-users/202010.mbox/%3C4202d88eabd0ad2a0287243b281cad1bd2b9b141.camel%40apache.org%3E
> Elsewhere [*], I have been through all the HTTP APIs in Jena, which have
> lots of history, restructured them to update the style (e.g.
> QueryExecutionHttp.Builder)
>
>
> It's java11 use java.net.http which I found to be easy to use. It has
> async support and internally it is truly async I/O inside.
>
> Andy
>
> [*] https://github.com/afs/jena-http
>
> > but hopefully this will make maintenance quite a lot easier going
> forward.
> >
> > Aaron
> >
> > On Thu, Nov 12, 2020, 12:54 Andy Seaborne <an...@apache.org> wrote:
> >
> >> OK - I think it is tamed for now!
> >>
> >> A lot of updates, nothing serious showing up. The build became unstable
> >> due to trying to do too much in one go but should now be green - it is
> >> at TravisCI.
> >>
> >> Andy
> >>
> >> == Process
> >>
> >> dependabot is administered by the file
> >>
> >> <root>/.github/dependabot.yml
> >>
> >> Currently, set to run monthly.
> >>
> >> There is no other setting for on/off; if it is there, dependabot runs
> >>
> >> This is not all good; it runs for clones of the repo but they don't any
> >> tidy and suppression of unwanted updates.
> >>
> >> The "schedule" is required otherwise it could be manual and run from GH
> >> UI via "Insights" -> "Dependency Graph" -> "Dependabot".
> >>
> >> == This cycle
> >>
> >> There are a couple for major upgrades highlighted:
> >>
> >> * Lucene 7 -> 8
> >> * org.osgi.core 5.0.0 -> 6.0.0
> >>
> >> (nothing done about them)
> >>
> >> Too near to a release for org.osgi.core and Lucene 7->8 is a major
> >> decision and there is no rush that I'm aware of.
> >>
> >> * jena-elephas : Uses hadoop 2, guava 11 - I hope I've told the
> >> dependabot to ignore these.
> >>
> >> It's the Guava bit that I'm unsure about as we have two different
> >> dependencies.
> >>
> >> == Things that broke:
> >>
> >> GeoSPARQL
> >> SIS 0.8 -> 1.0 : test failure
> >> (left at 0.8, JENA-1996)
> >>
> >> jena-sdb : hsql v2
> >> Left at v1
> >>
> >> == Notes
> >>
> >> 1/
> >> Derby 10.15.x.y requires java9, so updated only as far as 10.14.x.y and
> >> then dependabot asked to ignore the minor version.
> >> (used for testing by jena-sdb by jena-geosparql)
> >>
> >> 2/
> >> The updated shade plugin has some new warnings about overlapping files.
> >> It looks safe, needs checking (and maybe there are shading transformers
> >> to merge the files).
> >>
> >>
> >> == Updates done
> >>
> >> HttpClient to 4.5.13
> >> commons-lang3 from 3.10 to 3.11
> >> guava 29-jre to 30-jre (shaded)
> >> spatial4j from 0.6 to 0.7
> >> airline.version from 2.1.1 to 2.8.0
> >> jts-core from 1.16.1 to 1.17.1
> >> shiro from 1.5.1 to 1.7.0
> >> jackson from 2.10.1 to 2.11.3
> >> commons-codec 1.14 to 1.15
> >> commons-io from 2.6 to 2.8.0
> >> micrometer from 1.5.5 to 1.6.1
> >> jcommander from 1.72 to 1.78
> >>
> >> and plugins.
> >>
> >> Andy
> >>
> >
>