[jira] [Commented] (GUACAMOLE-1905) Update dependencies to latest stable and compatible versions

Thu, 29 Feb 2024 09:33:16 -0800 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17822243#comment-17822243
 ] 

Mike Jumper commented on GUACAMOLE-1905:
----------------------------------------

[~vnick]: Yep! We have automatic scanning defined in the main {{pom.xml}} - you 
just need to enable that part of the build. There are other things to check, 
though. In all:

* Java dependencies (via Maven)
* JavaScript dependencies (via NPM)
* Docker image dependencies (these are mostly automatic, but the JDBC drivers 
need to be manually updated when new compatible versions are available)

h3. Checking Maven dependencies

Set the {{checkDependencies}} property to {{true}} to enable automatic checks:

{code:none}
mvn -DcheckDependencies=true clean package
{code}

The build will then additionally:

 # Check for dependencies that have new versions that are likely compatible 
(excluding transitive and build-only dependencies), saving the results in the 
{{target/}} directory of each project (including the top-level guacamole-client 
project) as {{dependency-update-report.txt}}.
 # Check for dependencies that have known security issues (_including_ 
transitive dependencies), saving the results in the {{target/}} directory of 
each project (including the top-level guacamole-client project) as an HTML 
report called {{dependency-check-report.html}}.

Both of these checks tend to produce false positives, so that's as far as the 
automation goes, but it does help. I usually use {{find}} to locate and check 
each of these.

h3. Checking JavaScript dependencies

For JavaScript libraries that are part of the webapp, you'll need to check 
those separately by changing to the {{guacamole/src/main/frontend/}} directory 
and running:

{code:none}
npm outdated
{code}

and:

{code:none}
npm audit
{code}

Many of these dependencies are build-time only. Others are not, but cannot be 
updated without migrating to Webpack v5 (which the closure compiler plugin 
doesn't support).

h3. Checking Docker dependencies

The _only_ dependencies that need checking within the Docker image are the JDBC 
drivers, each defined with build args:

https://github.com/apache/guacamole-client/blob/4c24bfd18d7e5c5717c6c1fbf7b851083b2b17c8/Dockerfile#L53-L56

> Update dependencies to latest stable and compatible versions
> ------------------------------------------------------------
>
>                 Key: GUACAMOLE-1905
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1905
>             Project: Guacamole
>          Issue Type: Task
>            Reporter: Nick Couchman
>            Priority: Minor
>             Fix For: 1.5.5
>
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to