You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomee.apache.org by GitBox <gi...@apache.org> on 2022/04/12 12:05:54 UTC

[GitHub] [tomee] Celebrate-future opened a new pull request, #852: Could org.apache.tomee:tomee-server-version:9.0.0-M8-SNAPSHOT drop off redundant dependencies?

Celebrate-future opened a new pull request, #852:
URL: https://github.com/apache/tomee/pull/852

   Hi! I found the pom file of project **_org.apache.tomee:tomee-server-version:9.0.0-M8-SNAPSHOT_** introduced **_6_** dependencies. However, among them, **_3_** libraries (**_50%_**) are not used by your project. I list the redundant dependencies below (labelled as red ones in the figure):
   ## Redundant dependencies
   org.tomitribe:tomitribe-util:jar:1.2.3:compile
   org.tomitribe:swizzle:jar:1.0:compile
   org.apache.commons:commons-compress:jar:1.14:compile
   
   ---
   Removing the redundant dependencies can reduce the size of project and prevent potential dependency conflict issues (i.e., multiple versions of the same library). More importantly, one of the redundant dependencies **_org.apache.commons:commons-compress:jar:1.14:compile_** incorporates a medium-level vulnerability SNYK-JAVA-ORGAPACHECOMMONS-1316639. As such, I suggest a refactoring operation for **_org.apache.tomee:tomee-server-version:9.0.0-M8-SNAPSHOT_**’s pom file.
   
   The attached PR helps resolve the reported problem. It is safe to remove the unused libraries (we considered Java reflection relations when analyzing the dependencies). These changes have passed **_org.apache.tomee:tomee-server-version:9.0.0-M8-SNAPSHOT_**’s maven tests.
   
   Best regards
   ![image](https://user-images.githubusercontent.com/78527112/162958881-b42171ed-5881-41da-ac7a-bbd20b2fe0e5.png)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomee.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [tomee] rzo1 commented on pull request #852: Could org.apache.tomee:tomee-server-version:9.0.0-M8-SNAPSHOT drop off redundant dependencies?

Posted by GitBox <gi...@apache.org>.
rzo1 commented on PR #852:
URL: https://github.com/apache/tomee/pull/852#issuecomment-1166518838

   @Celebrate-future Thanks for the PR!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomee.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [tomee] rzo1 merged pull request #852: Could org.apache.tomee:tomee-server-version:9.0.0-M8-SNAPSHOT drop off redundant dependencies?

Posted by GitBox <gi...@apache.org>.
rzo1 merged PR #852:
URL: https://github.com/apache/tomee/pull/852


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomee.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org