You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2018/02/09 08:57:00 UTC
[jira] [Commented] (OFBIZ-9674) Update build.gradle to the latest
dependencies
[ https://issues.apache.org/jira/browse/OFBIZ-9674?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16358124#comment-16358124 ]
Jacques Le Roux commented on OFBIZ-9674:
----------------------------------------
Hi Michael, Julian,
I today ran "gradlew dependencyUpdates -Drevision=release" again and got this result
{noformat}
------------------------------------------------------------
: Project Dependency Updates (report to plain text file)
------------------------------------------------------------
The following dependencies are using the latest release version:
- org.apache.axis2:axis2-kernel:1.7.7
- org.apache.axis2:axis2-transport-http:1.7.7
- org.apache.axis2:axis2-transport-local:1.7.7
- net.sf.barcode4j:barcode4j:2.1
- net.sf.barcode4j:barcode4j-fop-ext:2.1
- org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380
- commons-cli:commons-cli:1.4
- org.apache.commons:commons-collections4:4.1
- org.apache.commons:commons-csv:1.5
- org.apache.commons:commons-dbcp2:2.2.0
- commons-net:commons-net:3.6
- commons-validator:commons-validator:1.6
- com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru:1.4.2
- org.apache.derby:derby:10.14.1.0
- org.owasp.esapi:esapi:2.1.0.1
- com.googlecode.ez-vcard:ez-vcard:0.9.10
- org.apache.xmlgraphics:fop:2.2
- org.freemarker:freemarker:2.3.27-incubating
- org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1
- org.apache.geronimo.components:geronimo-transaction:3.1.4
- at.bxm.gradleplugins:gradle-svntools-plugin:2.2.1
- com.github.ben-manes:gradle-versions-plugin:0.17.0
- com.google.guava:guava:20.0
- org.hamcrest:hamcrest-all:1.3
- net.fortuna.ical4j:ical4j:1.0-rc3-atlassian-11
- com.ibm.icu:icu4j:60.2
- org.zapodot:jackson-databind-java-optional:2.6.1
- javax.el:javax.el-api:3.0.1-b04
- com.sun.mail:javax.mail:1.6.0
- javax.servlet:javax.servlet-api:4.0.0
- javax.servlet.jsp:javax.servlet.jsp-api:2.3.2-b02
- io.jsonwebtoken:jjwt:0.9.0
- org.jsoup:jsoup:1.11.2
- de.odysseus.juel:juel-impl:2.2.7
- de.odysseus.juel:juel-spi:2.2.7
- org.safehaus.jug:jug:2.0.0
- junit:junit:4.12
- junit:junit-dep:4.11
- org.apache.logging.log4j:log4j-1.2-api:2.10.0
- org.apache.logging.log4j:log4j-api:2.10.0
- org.apache.logging.log4j:log4j-core:2.10.0
- org.apache.logging.log4j:log4j-jul:2.10.0
- org.apache.logging.log4j:log4j-slf4j-impl:2.10.0
- org.apache.lucene:lucene-analyzers-common:7.2.1
- org.apache.lucene:lucene-core:7.2.1
- org.apache.lucene:lucene-queryparser:7.2.1
- org.mockito:mockito-core:2.13.0
- oro:oro:2.0.8
- org.apache.poi:poi:3.17
- org.apache.shiro:shiro-core:1.4.0
- org.apache.solr:solr-core:7.2.1
- org.eclipse.birt.runtime:viewservlets:4.5.0
- wsdl4j:wsdl4j:1.6.3
- apache-xerces:xercesImpl:2.9.1
- org.apache.xmlrpc:xmlrpc-client:3.1.3
- org.apache.xmlrpc:xmlrpc-server:3.1.3
- com.thoughtworks.xstream:xstream:1.4.10
The following dependencies exceed the version found at the release revision level:
- com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer [20170515.1 <- 1.1]
The following dependencies have later release versions:
- org.apache.ant:ant-junit [1.9.7 -> 1.10.2]
- org.jasig.cas:cas-server-core [3.3.5 -> 4.2.7]
- com.google.zxing:core [3.3.1 -> 3.3.2]
- org.codehaus.groovy:groovy-all [2.4.13 -> 3.0.0-alpha-1]
- org.apache.httpcomponents:httpclient-cache [4.5.4 -> 4.5.5]
- com.lowagie:itext [4.2.0 -> 4.2.2]
- com.googlecode.libphonenumber:libphonenumber [8.8.7 -> 8.8.11]
- org.apache.poi:poi-excelant [3.14 -> 3.17]
- org.apache.poi:poi-ooxml [3.14 -> 3.17]
- org.apache.poi:poi-ooxml-schemas [3.14 -> 3.17]
- org.apache.poi:poi-scratchpad [3.14 -> 3.17]
- org.springframework:spring-test [5.0.2.RELEASE -> 5.0.3.RELEASE]
- org.apache.tika:tika-core [1.16 -> 1.17]
- org.apache.tika:tika-parsers [1.16 -> 1.17]
- org.apache.tomcat:tomcat-catalina [8.5.24 -> 9.0.4]
- org.apache.tomcat:tomcat-catalina-ha [8.5.24 -> 9.0.4]
- org.apache.tomcat.embed:tomcat-embed-websocket [8.5.23 -> 9.0.4]
- org.apache.tomcat:tomcat-jasper [8.5.24 -> 9.0.4]
- org.apache.tomcat:tomcat-tribes [8.5.24 -> 9.0.4]
Failed to determine the latest version for the following dependencies (use --info for details):
- com.sun.syndication:com.springsource.com.sun.syndication
- org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec
{noformat}
I suggest that we run this from time to time (I think every quarter is enough) and update libs when needed. What do you think? I think we should create a new Jira each time, right?
> Update build.gradle to the latest dependencies
> ----------------------------------------------
>
> Key: OFBIZ-9674
> URL: https://issues.apache.org/jira/browse/OFBIZ-9674
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL COMPONENTS
> Affects Versions: Trunk
> Reporter: Michael Brohl
> Assignee: Michael Brohl
> Priority: Minor
> Fix For: 17.12.01
>
> Attachments: OFBIZ-9674_Update_buildgradle.patch
>
>
> I wondered how up-to-date our project dependencies are and searched for an efficient way how to check this. I found the gradle-versions-plugin [1] which analyzes the dependencies and checks if there are newer versions available.
> I ran the check with
> {code:java}
> ./gradlew dependencyUpdates -Drevision=release
> {code}
> and got the following result:
> ------------------------------------------------------------
> : Project Dependency Updates (report to plain text file)
> ------------------------------------------------------------
> The following dependencies are using the latest release version:
> - net.sf.barcode4j:barcode4j:2.1
> - net.sf.barcode4j:barcode4j-fop-ext:2.1
> - org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380
> - org.apache.commons:commons-collections4:4.1
> - com.googlecode.ez-vcard:ez-vcard:0.9.10
> - org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1
> - org.apache.geronimo.components:geronimo-transaction:3.1.4
> - at.bxm.gradleplugins:gradle-svntools-plugin:2.2.1
> - com.github.ben-manes:gradle-versions-plugin:0.15.0
> - org.hamcrest:hamcrest-all:1.3
> - net.fortuna.ical4j:ical4j:1.0-rc3-atlassian-11
> - javax.el:javax.el-api:3.0.1-b04
> - de.odysseus.juel:juel-impl:2.2.7
> - de.odysseus.juel:juel-spi:2.2.7
> - junit:junit:4.12
> - oro:oro:2.0.8
> - apache-xerces:xercesImpl:2.9.1
> The following dependencies exceed the version found at the release revision level:
> - com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer [20160628.1 <- 1.1]
> The following dependencies have later release versions:
> - org.apache.ant:ant-junit [1.9.0 -> 1.10.1]
> - org.apache.ant:ant-junit [1.9.7 -> 1.10.1]
> - org.apache.axis2:axis2-kernel [1.7.1 -> 1.7.6]
> - org.apache.axis2:axis2-transport-http [1.7.1 -> 1.7.6]
> - org.apache.axis2:axis2-transport-local [1.7.1 -> 1.7.6]
> - commons-cli:commons-cli [1.3.1 -> 1.4]
> - org.apache.commons:commons-csv [1.1 -> 1.5]
> - org.apache.commons:commons-dbcp2 [2.1 -> 2.1.1]
> - commons-net:commons-net [3.3 -> 3.6]
> - commons-validator:commons-validator [1.5.1 -> 1.6]
> - com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru [1.0 -> 1.4.2]
> - com.google.zxing:core [3.2.1 -> 3.3.0]
> - org.apache.derby:derby [10.11.1.1 -> 10.13.1.1]
> - org.owasp.esapi:esapi [2.1.0 -> 2.1.0.1]
> - org.apache.xmlgraphics:fop [2.1 -> 2.2]
> - org.freemarker:freemarker [2.3.25-incubating -> 2.3.26-incubating]
> - org.codehaus.groovy:groovy-all [2.4.12 -> 2.5.0-beta-1]
> - org.apache.httpcomponents:httpclient-cache [4.4.1 -> 4.5.3]
> - com.ibm.icu:icu4j [57.1 -> 59.1]
> - com.lowagie:itext [2.1.7 -> 4.2.2]
> - org.zapodot:jackson-databind-java-optional [2.4.2 -> 2.6.1]
> - com.sun.mail:javax.mail [1.5.1 -> 1.6.0]
> - javax.servlet:javax.servlet-api [3.1.0 -> 4.0.0]
> - javax.servlet.jsp:javax.servlet.jsp-api [2.3.0 -> 2.3.2-b02]
> - junit:junit-dep [4.10 -> 4.11]
> - com.googlecode.libphonenumber:libphonenumber [8.6.0 -> 8.8.0]
> - org.apache.logging.log4j:log4j-1.2-api [2.6.2 -> 2.9.0]
> - org.apache.logging.log4j:log4j-api [2.6.2 -> 2.9.0]
> - org.apache.logging.log4j:log4j-core [2.6.2 -> 2.9.0]
> - org.apache.logging.log4j:log4j-jul [2.6.2 -> 2.9.0]
> - org.apache.logging.log4j:log4j-slf4j-impl [2.6.2 -> 2.9.0]
> - org.mockito:mockito-core [1.10.19 -> 2.9.0]
> - org.apache.poi:poi [3.14 -> 3.17-beta1]
> - org.apache.shiro:shiro-core [1.3.0 -> 1.4.0]
> - org.springframework:spring-test [4.2.3.RELEASE -> 4.3.10.RELEASE]
> - org.apache.tika:tika-core [1.12 -> 1.16]
> - org.apache.tika:tika-parsers [1.12 -> 1.16]
> - org.apache.tomcat:tomcat-catalina [8.5.16 -> 9.0.0.M26]
> - org.apache.tomcat:tomcat-catalina-ha [8.5.16 -> 9.0.0.M25]
> - org.apache.tomcat:tomcat-jasper [8.5.16 -> 9.0.0.M26]
> - org.apache.tomcat:tomcat-tribes [8.5.16 -> 9.0.0.M25]
> - wsdl4j:wsdl4j [1.6.2 -> 1.6.3]
> - org.apache.xmlrpc:xmlrpc-client [3.1.2 -> 3.1.3]
> - org.apache.xmlrpc:xmlrpc-server [3.1.2 -> 3.1.3]
> - com.thoughtworks.xstream:xstream [1.4.9 -> 1.4.10]
> Failed to determine the latest version for the following dependencies (use --info for details):
> - com.sun.syndication:com.springsource.com.sun.syndication
> - org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec
> Generated report file build/dependencyUpdates/report.txt
> ===
> If there are no objections, I would try to update the dependencies to the latest release versions, which means I would skip the milestone versions for e.g. Tomcat here.
> We can run this check from time to time to see if we have missed updates to the dependencies.
> What do you think? Is this reasonable?
> Thanks,
> Michael
> [1] https://github.com/ben-manes/gradle-versions-plugin
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)