Dependency scan for V3.4.8 (V3.last)
Description
Environment
Activity
Ian Young December 9, 2020 at 3:49 PM
Bumped Spring Framework to 4.3.30, commit 755bb2e369b06ef7b1c73f2dd965e5e47f234cf1.
Ian Young December 4, 2020 at 5:27 PM
Not done yet: Spring Framework 4.3.30 is next week, so reopening.
Ian Young December 4, 2020 at 5:23 PM
Uploaded to nexus: httpcore, metrics, jackson, spring framework (slf4j and jsr305 were already uploaded).
Bumped the versions of the above in java-parent-project commit 5e536e7e072d097c7881d8a0554882c9b57d37c6.
Ian Young December 4, 2020 at 5:00 PM
Bumped the version of unboundid in idp-distribution, commit 8a4432967b2144ba64e8fd341db32835967c730f. (Was already in Nexus).
Ian Young December 3, 2020 at 6:07 PM
I've looked at the dependency:list for the IdP distribution, and then ignored:
guava, which can't be upgraded without changing the requirement to Java 8
anything that isn't semantically versioned
anything that's only used for tests
ant, which is only used by the installer and is not on the runtime classpath
For the remainder, I've looked to see whether a newer _patch_ version was available.
The following can be updated:
jackson from 2.10.3 to 2.10.4
jsr305 from 3.0.1 to 3.0.2
unboundid-ldapsdk (managed by idp-distribution, not the parent POM) from 4.0.9 to 4.0.14
metrics from 3.1.2 to 3.1.5
httpcore from 4.4.13 to 4.4.14
slf4j from 1.7.25 to 1.7.30
spring framework from 4.3.19 to (currently) 4.3.29 (from next week, 4.3.30)
I have applied those changes to the a copy of the parent POM (and idp-distribution, in the one relevant case) and all tests appear to pass.
Next step would be to upload all those dependencies to Nexus and push those changes.
I think we should probably have a discussion on Friday about whether this is all we want to do, or whether any of those do not want to be updated. If the aim is to update everything that might be of benefit, we might try and pull in things like joda-time and bcprov, which are not semantically versioned but are relevant. I wouldn't want to just bump everything, though, because I know that blindly bumping things like commons-codec would not be a good idea.
Note also that this doesn't cover transient dependencies whose versions are not managed by us. Things like Hibernate fall into this category.
We need to scan the IdP's dependencies for the V3.4.8 release to make sure that we have the latest and greatest available.
Because this is a patch release (rather than, e.g., a V3.5.0) our main constraint is that any dependencies bumped must themselves be only patch releases, not minors (perhaps unless there are security issues we believe affect us) and certainly not majors.
Parent POM for the IdP maint-3.4 branch is currently 7.11.2-SNAPSHOT, so we can update dependencies in the parent POM.