You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "asomov (via GitHub)" <gi...@apache.org> on 2023/01/31 07:49:35 UTC
[GitHub] [commons-configuration] asomov opened a new pull request, #270: Migrate to SnakeYAML Engine
asomov opened a new pull request, #270:
URL: https://github.com/apache/commons-configuration/pull/270
Migrate to SnakeYAML Engine:
- to support YAML 1.2
- to get rid of false positives for potential vulnerabilities in SnakeYAML
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-configuration] garydgregory commented on a diff in pull request #270: Migrate to SnakeYAML Engine
Posted by "garydgregory (via GitHub)" <gi...@apache.org>.
garydgregory commented on code in PR #270:
URL: https://github.com/apache/commons-configuration/pull/270#discussion_r1092592063
##########
pom.xml:
##########
@@ -551,15 +551,15 @@
org.apache.commons.vfs2.*;resolution:=optional,
org.springframework.*;resolution:=optional,
com.fasterxml.jackson.*;resolution:=optional,
- org.yaml.snakeyaml.*;resolution:=optional,
+ org.snakeyaml.engine.*;resolution:=optional,
*
</commons.osgi.import>
<log4j.version>2.19.0</log4j.version>
<slf4j.version>2.0.5</slf4j.version>
<!-- Spring 6 requires Java 17 -->
<spring.version>5.3.24</spring.version>
- <japicmp.skip>false</japicmp.skip>
+ <japicmp.skip>true</japicmp.skip>
Review Comment:
You don't indicate anything, and you don't turn off JApiCmd as JApiCmd will fail the build if the PR breaks BC.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-configuration] asomov commented on pull request #270: Migrate to SnakeYAML Engine
Posted by "asomov (via GitHub)" <gi...@apache.org>.
asomov commented on PR #270:
URL: https://github.com/apache/commons-configuration/pull/270#issuecomment-1409912191
I applied this, because I could not build it otherwise (it was `false`):
`<japicmp.skip>true</japicmp.skip>`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-configuration] garydgregory commented on pull request #270: Migrate to SnakeYAML Engine
Posted by "garydgregory (via GitHub)" <gi...@apache.org>.
garydgregory commented on PR #270:
URL: https://github.com/apache/commons-configuration/pull/270#issuecomment-1411971570
Since this PR breaks BC according to your earlier comment, it is -1. This PR hides this fact by disabling BC checking. BC can only be broken in a major release. There are currently no plans for a major release. My advice is to change this PR by reenabling BC checking and leave it open as a reminder for the next major release. Creating a Jira would also serve as a reminder for this request.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-configuration] garydgregory commented on pull request #270: Migrate to SnakeYAML Engine
Posted by "garydgregory (via GitHub)" <gi...@apache.org>.
garydgregory commented on PR #270:
URL: https://github.com/apache/commons-configuration/pull/270#issuecomment-1454133125
We updated snakeyaml to 2.0.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-configuration] asomov commented on a diff in pull request #270: Migrate to SnakeYAML Engine
Posted by "asomov (via GitHub)" <gi...@apache.org>.
asomov commented on code in PR #270:
URL: https://github.com/apache/commons-configuration/pull/270#discussion_r1092282495
##########
pom.xml:
##########
@@ -551,15 +551,15 @@
org.apache.commons.vfs2.*;resolution:=optional,
org.springframework.*;resolution:=optional,
com.fasterxml.jackson.*;resolution:=optional,
- org.yaml.snakeyaml.*;resolution:=optional,
+ org.snakeyaml.engine.*;resolution:=optional,
*
</commons.osgi.import>
<log4j.version>2.19.0</log4j.version>
<slf4j.version>2.0.5</slf4j.version>
<!-- Spring 6 requires Java 17 -->
<spring.version>5.3.24</spring.version>
- <japicmp.skip>false</japicmp.skip>
+ <japicmp.skip>true</japicmp.skip>
Review Comment:
@garydgregory how can I indicate that it is a backwards incompatible change ? To be included in the next major release. I think the master branch is exactly for it
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-configuration] asomov commented on pull request #270: Migrate to SnakeYAML Engine
Posted by "asomov (via GitHub)" <gi...@apache.org>.
asomov commented on PR #270:
URL: https://github.com/apache/commons-configuration/pull/270#issuecomment-1412038286
@garydgregory I think the simplest for me is keep this PR until a major version comes.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-configuration] garydgregory commented on a diff in pull request #270: Migrate to SnakeYAML Engine
Posted by "garydgregory (via GitHub)" <gi...@apache.org>.
garydgregory commented on code in PR #270:
URL: https://github.com/apache/commons-configuration/pull/270#discussion_r1091769147
##########
pom.xml:
##########
@@ -551,15 +551,15 @@
org.apache.commons.vfs2.*;resolution:=optional,
org.springframework.*;resolution:=optional,
com.fasterxml.jackson.*;resolution:=optional,
- org.yaml.snakeyaml.*;resolution:=optional,
+ org.snakeyaml.engine.*;resolution:=optional,
*
</commons.osgi.import>
<log4j.version>2.19.0</log4j.version>
<slf4j.version>2.0.5</slf4j.version>
<!-- Spring 6 requires Java 17 -->
<spring.version>5.3.24</spring.version>
- <japicmp.skip>false</japicmp.skip>
+ <japicmp.skip>true</japicmp.skip>
Review Comment:
-1 obviously, you can't turn off this check for binary compatibility.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-configuration] garydgregory commented on a diff in pull request #270: Migrate to SnakeYAML Engine
Posted by "garydgregory (via GitHub)" <gi...@apache.org>.
garydgregory commented on code in PR #270:
URL: https://github.com/apache/commons-configuration/pull/270#discussion_r1092049982
##########
pom.xml:
##########
@@ -551,15 +551,15 @@
org.apache.commons.vfs2.*;resolution:=optional,
org.springframework.*;resolution:=optional,
com.fasterxml.jackson.*;resolution:=optional,
- org.yaml.snakeyaml.*;resolution:=optional,
+ org.snakeyaml.engine.*;resolution:=optional,
*
</commons.osgi.import>
<log4j.version>2.19.0</log4j.version>
<slf4j.version>2.0.5</slf4j.version>
<!-- Spring 6 requires Java 17 -->
<spring.version>5.3.24</spring.version>
- <japicmp.skip>false</japicmp.skip>
+ <japicmp.skip>true</japicmp.skip>
Review Comment:
Yes: Don't change that setting. You cannot break binary compatibility (BC) outside of a major release upgrade. If this PR breaks BC, then it's -1.
Gary
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-configuration] asomov commented on a diff in pull request #270: Migrate to SnakeYAML Engine
Posted by "asomov (via GitHub)" <gi...@apache.org>.
asomov commented on code in PR #270:
URL: https://github.com/apache/commons-configuration/pull/270#discussion_r1091845360
##########
pom.xml:
##########
@@ -551,15 +551,15 @@
org.apache.commons.vfs2.*;resolution:=optional,
org.springframework.*;resolution:=optional,
com.fasterxml.jackson.*;resolution:=optional,
- org.yaml.snakeyaml.*;resolution:=optional,
+ org.snakeyaml.engine.*;resolution:=optional,
*
</commons.osgi.import>
<log4j.version>2.19.0</log4j.version>
<slf4j.version>2.0.5</slf4j.version>
<!-- Spring 6 requires Java 17 -->
<spring.version>5.3.24</spring.version>
- <japicmp.skip>false</japicmp.skip>
+ <japicmp.skip>true</japicmp.skip>
Review Comment:
it is binary incompatible
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-configuration] garydgregory commented on pull request #270: Migrate to SnakeYAML Engine
Posted by "garydgregory (via GitHub)" <gi...@apache.org>.
garydgregory commented on PR #270:
URL: https://github.com/apache/commons-configuration/pull/270#issuecomment-1411212430
You don't indicate anything, and you don't turn off JApiCmd as JApiCmd will fail the build if the PR breaks BC.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-configuration] asomov commented on a diff in pull request #270: Migrate to SnakeYAML Engine
Posted by "asomov (via GitHub)" <gi...@apache.org>.
asomov commented on code in PR #270:
URL: https://github.com/apache/commons-configuration/pull/270#discussion_r1091847445
##########
pom.xml:
##########
@@ -551,15 +551,15 @@
org.apache.commons.vfs2.*;resolution:=optional,
org.springframework.*;resolution:=optional,
com.fasterxml.jackson.*;resolution:=optional,
- org.yaml.snakeyaml.*;resolution:=optional,
+ org.snakeyaml.engine.*;resolution:=optional,
*
</commons.osgi.import>
<log4j.version>2.19.0</log4j.version>
<slf4j.version>2.0.5</slf4j.version>
<!-- Spring 6 requires Java 17 -->
<spring.version>5.3.24</spring.version>
- <japicmp.skip>false</japicmp.skip>
+ <japicmp.skip>true</japicmp.skip>
Review Comment:
@garydgregory can you please suggest the way to continue ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-configuration] asomov commented on a diff in pull request #270: Migrate to SnakeYAML Engine
Posted by "asomov (via GitHub)" <gi...@apache.org>.
asomov commented on code in PR #270:
URL: https://github.com/apache/commons-configuration/pull/270#discussion_r1092784354
##########
pom.xml:
##########
@@ -551,15 +551,15 @@
org.apache.commons.vfs2.*;resolution:=optional,
org.springframework.*;resolution:=optional,
com.fasterxml.jackson.*;resolution:=optional,
- org.yaml.snakeyaml.*;resolution:=optional,
+ org.snakeyaml.engine.*;resolution:=optional,
*
</commons.osgi.import>
<log4j.version>2.19.0</log4j.version>
<slf4j.version>2.0.5</slf4j.version>
<!-- Spring 6 requires Java 17 -->
<spring.version>5.3.24</spring.version>
- <japicmp.skip>false</japicmp.skip>
+ <japicmp.skip>true</japicmp.skip>
Review Comment:
@garydgregory I did not quite catch you. Do you mean that I need to provide a PR which breaks the build ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-configuration] garydgregory commented on pull request #270: Migrate to SnakeYAML Engine
Posted by "garydgregory (via GitHub)" <gi...@apache.org>.
garydgregory commented on PR #270:
URL: https://github.com/apache/commons-configuration/pull/270#issuecomment-1465306018
@asomov
Closing: We updated snakeyaml to 2.0.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-configuration] codecov-commenter commented on pull request #270: Migrate to SnakeYAML Engine
Posted by "codecov-commenter (via GitHub)" <gi...@apache.org>.
codecov-commenter commented on PR #270:
URL: https://github.com/apache/commons-configuration/pull/270#issuecomment-1410065092
# [Codecov](https://codecov.io/gh/apache/commons-configuration/pull/270?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#270](https://codecov.io/gh/apache/commons-configuration/pull/270?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (fd9b8f0) into [master](https://codecov.io/gh/apache/commons-configuration/commit/b770731fe9e5ccb1b215faf67a35dfd07a422404?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (b770731) will **increase** coverage by `0.08%`.
> The diff coverage is `76.00%`.
```diff
@@ Coverage Diff @@
## master #270 +/- ##
============================================
+ Coverage 89.04% 89.13% +0.08%
Complexity 3534 3534
============================================
Files 183 183
Lines 9649 9652 +3
Branches 1196 1196
============================================
+ Hits 8592 8603 +11
+ Misses 776 768 -8
Partials 281 281
```
| [Impacted Files](https://codecov.io/gh/apache/commons-configuration/pull/270?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | Coverage Δ | |
|---|---|---|
| [...ache/commons/configuration2/YAMLConfiguration.java](https://codecov.io/gh/apache/commons-configuration/pull/270?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-c3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2NvbW1vbnMvY29uZmlndXJhdGlvbjIvWUFNTENvbmZpZ3VyYXRpb24uamF2YQ==) | `73.33% <76.00%> (+20.95%)` | :arrow_up: |
:mega: We’re building smart automated test selection to slash your CI/CD build times. [Learn more](https://about.codecov.io/iterative-testing/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-configuration] asomov commented on pull request #270: Migrate to SnakeYAML Engine
Posted by "asomov (via GitHub)" <gi...@apache.org>.
asomov commented on PR #270:
URL: https://github.com/apache/commons-configuration/pull/270#issuecomment-1410251151
@kinow I did my best to create a JIRA, but unfortunately there is no way to create an account there. I am stuck
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-configuration] garydgregory commented on a diff in pull request #270: Migrate to SnakeYAML Engine
Posted by "garydgregory (via GitHub)" <gi...@apache.org>.
garydgregory commented on code in PR #270:
URL: https://github.com/apache/commons-configuration/pull/270#discussion_r1092049982
##########
pom.xml:
##########
@@ -551,15 +551,15 @@
org.apache.commons.vfs2.*;resolution:=optional,
org.springframework.*;resolution:=optional,
com.fasterxml.jackson.*;resolution:=optional,
- org.yaml.snakeyaml.*;resolution:=optional,
+ org.snakeyaml.engine.*;resolution:=optional,
*
</commons.osgi.import>
<log4j.version>2.19.0</log4j.version>
<slf4j.version>2.0.5</slf4j.version>
<!-- Spring 6 requires Java 17 -->
<spring.version>5.3.24</spring.version>
- <japicmp.skip>false</japicmp.skip>
+ <japicmp.skip>true</japicmp.skip>
Review Comment:
Yes: Don't change that setting. You cannot break binary compatibility (BC) outside of a major release upgrade. If PR breaks BC, then it's -1.
Gary
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-configuration] garydgregory closed pull request #270: Migrate to SnakeYAML Engine
Posted by "garydgregory (via GitHub)" <gi...@apache.org>.
garydgregory closed pull request #270: Migrate to SnakeYAML Engine
URL: https://github.com/apache/commons-configuration/pull/270
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org