This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 4783d52a5e Improved: Update build.gradle to the latest dependencies
(OFBIZ-12921)
4783d52a5e is described below
commit 4783d52a5ed085f84d68ca511d96495d0b9ef0ba
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Mar 1 07:58:28 2024 +0100
Improved: Update build.gradle to the latest dependencies (OFBIZ-12921)
I did the last update with OFBIZ-12658 in June 2022.
IIRW I did not speak about the reason I did not update since.
It's simple. We encounter more and more conflicts when upgrading.
Often it's hard work to resolve these conflicts for a disputable benefit.
After all, it's working why upgrading?
As the famous meme "if it ain’t broke, don’t fix it" says.
So I decided to only upgrade dependencies when security issues make it
necessary.
Few weeks ago I finally decided to though have a look at the situation.
Clearly it confirms what I thought. If it's not a trivial upgrade that does
not
bring much, most of the time it's conflicts.
So I'll now rather upgrade only in case of security necessity.
Of course you are welcome to continue to upgrade as much as possible.
Maybe sometimes issues crossed with previous versions will resolved with
newer
libraries, but that must be very rare...if ever...
---
build.gradle | 48 ++++++++++++++++++++++++------------------------
1 file changed, 24 insertions(+), 24 deletions(-)
diff --git a/build.gradle b/build.gradle
index 76a613b738..42dd9ec9ef 100644
--- a/build.gradle
+++ b/build.gradle
@@ -29,11 +29,11 @@ plugins {
id 'checkstyle'
id 'codenarc'
id 'maven-publish'
- id 'org.asciidoctor.jvm.convert' version '3.3.2'
- id 'org.asciidoctor.jvm.pdf' version '3.3.2'
- id 'org.owasp.dependencycheck' version '7.4.4' apply false
+ id 'org.asciidoctor.jvm.convert' version '3.3.2' // 4.0.2 does not compile
+ id 'org.asciidoctor.jvm.pdf' version '3.3.2' // 4.0.2 does not compile
+ id 'org.owasp.dependencycheck' version '9.0.9' apply false //Not tested
after 7.4.4
id 'se.patrikerdes.use-latest-versions' version '0.2.18' apply false
- id 'com.github.ben-manes.versions' version '0.47.0' apply false
+ id 'com.github.ben-manes.versions' version '0.51.0' apply false
id "com.github.ManifestClasspath" version "0.1.0-RELEASE"
id "com.github.jakemarsden.git-hooks" version "0.0.2"
id "com.github.node-gradle.node" version '7.0.2' apply false
@@ -105,7 +105,7 @@ javadoc {
links(
'https://docs.oracle.com/javase/17/docs/api',
'https://tomcat.apache.org/tomcat-9.0-doc/servletapi/',
- 'http://docs.groovy-lang.org/docs/groovy-3.0.19/html/api',
+ 'http://docs.groovy-lang.org/docs/groovy-3.0.20/html/api',
'https://commons.apache.org/proper/commons-cli/apidocs'
)
}
@@ -206,12 +206,12 @@ configurations.all {
dependencies {
implementation 'com.github.ben-manes.caffeine:caffeine:3.1.8'
- implementation 'com.google.zxing:core:3.5.2'
+ implementation 'com.google.zxing:core:3.5.3'
implementation
'com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru:1.4.2'
- implementation 'com.googlecode.ez-vcard:ez-vcard:0.11.3'
+ implementation 'com.googlecode.ez-vcard:ez-vcard:0.11.3' // 0.12.1 does
not compile
implementation
'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20220608.1'
- implementation 'com.googlecode.libphonenumber:libphonenumber:8.13.20'
- implementation 'com.ibm.icu:icu4j:73.2'
+ implementation 'com.googlecode.libphonenumber:libphonenumber:8.13.31'
+ implementation 'com.ibm.icu:icu4j:74.2'
implementation ('com.lowagie:itext:2.1.7') { // Don't update due to
license change in newer versions, see OFBIZ-10455
exclude group: 'bouncycastle', module: 'bcmail-jdk14'
exclude group: 'bouncycastle', module: 'bcprov-jdk14'
@@ -220,10 +220,10 @@ dependencies {
implementation 'com.sun.mail:javax.mail:1.6.2'
implementation 'com.rometools:rome:2.1.0'
implementation 'com.thoughtworks.xstream:xstream:1.4.20'
- implementation 'commons-cli:commons-cli:1.5.0'
+ implementation 'commons-cli:commons-cli:1.6.0'
implementation 'commons-fileupload:commons-fileupload:1.5'
- implementation 'commons-net:commons-net:3.9.0'
- implementation 'commons-validator:commons-validator:1.7'
+ implementation 'commons-net:commons-net:3.10.0'
+ implementation 'commons-validator:commons-validator:1.8.0'
implementation 'de.odysseus.juel:juel-impl:2.2.7'
implementation 'javax.transaction:javax.transaction-api:1.3'
implementation 'net.fortuna.ical4j:ical4j:1.0-rc4-atlassian-12'
@@ -231,23 +231,23 @@ dependencies {
implementation 'org.apache.ant:ant-junit:1.10.14'
implementation 'org.apache.commons:commons-collections4:4.4'
implementation 'org.apache.commons:commons-csv:1.10.0'
- implementation 'org.apache.commons:commons-dbcp2:2.10.0'
+ implementation 'org.apache.commons:commons-dbcp2:2.10.0'// 2.11.0 does not
compile.
implementation 'org.apache.commons:commons-imaging:1.0-alpha3' // Alpha
but OK, "Imaging was working and was used by a number of projects in production
even before reaching its initial release as an Apache Commons component."
- implementation 'org.apache.commons:commons-text:1.10.0'
- implementation 'org.apache.geronimo.components:geronimo-transaction:3.1.5'
+ implementation 'org.apache.commons:commons-text:1.11.0'
+ implementation 'org.apache.geronimo.components:geronimo-transaction:3.1.5'
// 4.0.0 does not compile
implementation 'org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1'
implementation 'org.apache.httpcomponents:httpclient-cache:4.5.14'
implementation 'org.apache.logging.log4j:log4j-api:2.20.0' // the API of
log4j 2
implementation 'org.apache.logging.log4j:log4j-core:2.20.0' // Somehow
needed by Buildbot to compile OFBizDynamicThresholdFilter.java
implementation 'org.apache.poi:poi:4.1.2' // poi-ooxml-schemas-5.0.0.pom'.
Received status code 401 from server
- implementation 'org.apache.pdfbox:pdfbox:2.0.29'
+ implementation 'org.apache.pdfbox:pdfbox:2.0.29' // 3.0.1 does not compile
implementation 'org.apache.shiro:shiro-core:1.13.0'
implementation 'org.apache.sshd:sshd-core:2.10.0'
implementation 'org.apache.sshd:sshd-sftp:2.10.0'
implementation 'org.apache.tika:tika-core:2.5.0'
implementation 'org.apache.tika:tika-parsers:2.5.0'
implementation 'org.apache.tika:tika-parser-pdf-module:2.5.0'
- implementation 'org.apache.cxf:cxf-rt-frontend-jaxrs:3.5.6'
+ implementation 'org.apache.cxf:cxf-rt-frontend-jaxrs:3.5.6' // 4.0.3 does
not compile
implementation 'org.apache.tomcat:tomcat-catalina-ha:9.0.82' // Remember
to change the version number (9 now) in javadoc block if needed.
implementation 'org.apache.tomcat:tomcat-jasper:9.0.82'
implementation 'org.apache.axis2:axis2-kernel:1.8.2'
@@ -256,11 +256,11 @@ dependencies {
implementation 'org.apache.xmlgraphics:batik-bridge:1.17'
implementation 'org.apache.xmlgraphics:fop:2.3' // NOTE: since 2.4
dependencies are messed up. See
https://github.com/moqui/moqui-fop/blob/master/build.gradle
implementation 'org.clojure:clojure:1.11.1'
- implementation 'org.codehaus.groovy:groovy-all:3.0.19'
+ implementation 'org.codehaus.groovy:groovy-all:3.0.20'
implementation 'org.freemarker:freemarker:2.3.32' // Remember to change
the version number in FreeMarkerWorker class when upgrading. See OFBIZ-10019 if
>= 2.4
- implementation 'org.owasp.esapi:esapi:2.5.2.0'
+ implementation 'org.owasp.esapi:esapi:2.5.3.1'
implementation 'org.cyberneko:html:1.9.8'
- implementation 'org.springframework:spring-test:5.3.29'
+ implementation 'org.springframework:spring-test:5.3.29' // 6.1.4 does not
compile
implementation 'com.fasterxml.jackson.core:jackson-databind:2.15.2'
implementation 'oro:oro:2.0.8'
implementation 'wsdl4j:wsdl4j:1.6.3'
@@ -268,11 +268,11 @@ dependencies {
implementation 'org.jdom:jdom:1.1.3' // don't upgrade above 1.1.3, makes a
lot of not obvious and useless complications, see last commits of OFBIZ-12092
for more
implementation 'com.google.re2j:re2j:1.7'
implementation 'xerces:xercesImpl:2.12.2'
- implementation 'org.mustangproject:library:2.8.0'
+ implementation 'org.mustangproject:library:2.8.0' // 2.10.0 did not work,
cf. OFBIZ-12920
(https://github.com/apache/ofbiz-framework/pull/712#issuecomment-1968960963)
testImplementation 'org.hamcrest:hamcrest-library:2.2' // Enable junit4 to
not depend on hamcrest-1.3
- testImplementation 'org.mockito:mockito-core:4.8.1'
+ testImplementation 'org.mockito:mockito-core:5.10.0'
testImplementation 'org.jmockit:jmockit:1.49'
testImplementation 'com.pholser:junit-quickcheck-generators:1.0'
@@ -282,7 +282,7 @@ dependencies {
runtimeOnly 'net.sf.barcode4j:barcode4j:2.1'
runtimeOnly 'org.apache.axis2:axis2-transport-http:1.8.2'
runtimeOnly 'org.apache.axis2:axis2-transport-local:1.8.2'
- runtimeOnly 'org.apache.derby:derby:10.14.2.0' // So far we did not update
from 10.14.2.0 because of a runtime issue with 10.16.1.1:
java.lang.ClassNotFoundException: org.apache.derby.jdbc.EmbeddedDriver
+ runtimeOnly 'org.apache.derby:derby:10.14.2.0' // 10.17.1.0 does not
compile
runtimeOnly 'org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec:2.1'
runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.20.0' // for
external jars using the old log4j1.2: routes logging to log4j 2
runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.20.0' // for external
jars using the java.util.logging: routes logging to log4j 2
@@ -306,7 +306,7 @@ dependencies {
implementation fileTree(dir: libDir, include: '**/*.jar')
}
// specify last codenarc version for java 17 compliance
- codenarc('org.codenarc:CodeNarc:3.2.0')
+ codenarc('org.codenarc:CodeNarc:3.4.0')
}
def excludedJavaSources = [
