Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Requesting an upgrade of the dependency package. #107

Open
Aiden-777 opened this issue Oct 16, 2023 · 8 comments
Open

Requesting an upgrade of the dependency package. #107

Aiden-777 opened this issue Oct 16, 2023 · 8 comments

Comments

@Aiden-777
Copy link

Have you considered upgrading dependencies such as gRPC?

The low version may lead to the exploitation of certain vulnerabilities that have already been exposed.

I am using a newer dependency, and issues encountered in the past have been resolved.

However, this time, the change in 'API signature' prevents me from using the latest version of gRPC in the future.

Here is the error I encountered:

*******
APPLICATION FAILED TO START
*******

Description:

An attempt was made to call a method that does not exist. The attempt was made from the following location:

    org.tron.trident.core.ApiWrapper.<init>(ApiWrapper.java:143)

The following method did not exist:

    'io.grpc.stub.AbstractStub io.grpc.stub.MetadataUtils.attachHeaders(io.grpc.stub.AbstractStub, io.grpc.Metadata)'

In the latest version of gRPC, v1.58.0:

stub: Removed deprecated methods attachHeaders and captureMetadata from MetadataUtils
@endiaoekoe
Copy link
Contributor

@Aiden-777
really appreciate your reply.
the current gRPC dependencies have been introduced since trident-java project launched. but as you said above, the gRPC
APIs have evolved in the past years.
Specifically on this issue you mentioned above, the API MetadataUtils.attachHeaders are deprecated and removed from the gRPC APIs mentioned in this issue.
I think it is a good time to review the existing gRPC APIs used in trident-java project and find the ones that need to be up to date with official gRPC APIs.

@Aiden-777
Copy link
Author

@Aiden-777 really appreciate your reply.非常感谢您的回复。 the current gRPC dependencies have been introduced since trident-java project launched. but as you said above, the gRPC当前的 gRPC 依赖项自 Trident-Java 项目启动以来就已引入。但正如你上面所说,gRPC APIs have evolved in the past years.API 在过去几年中不断发展。 Specifically on this issue you mentioned above, the API MetadataUtils.attachHeaders are deprecated and removed from the gRPC APIs mentioned in this issue.具体到您上面提到的此问题,API 已弃用并从此问题中提到的 gRPC API MetadataUtils.attachHeaders 中删除。 I think it is a good time to review the existing gRPC APIs used in trident-java project and find the ones that need to be up to date with official gRPC APIs.我认为现在是回顾三叉戟-java项目中使用的现有gRPC API并找到需要与官方gRPC API保持同步的好时机。

Looking forward to the next version upgrade. Thanks to the developers!

@jimbogithub
Copy link

jimbogithub commented Feb 27, 2024
edited

+1 to resolve as these older dependencies are incompatible with newer releases of our container environment.

@endiaoekoe
Copy link
Contributor

fixed in release 0.9.0

@jimbogithub
Copy link

jimbogithub commented May 10, 2024
edited

@endiaoekoe Would you also consider switching from bcprov-jdk15on to bcprov-jdk18on? You appear to be targeting JDK 1.8 and above so bcprov-jdk18on would be better as it has many resolved CVEs versus bcprov-jdk15on. Note that it's a direct drop in as it is 'relocated': https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on

@Aiden-777
Copy link
Author

@endiaoekoe Would you also consider switching from bcprov-jdk15on to bcprov-jdk18on? You appear to be targeting JDK 1.8 and above so bcprov-jdk18on would be better as it has many resolved CVEs versus bcprov-jdk15on. Note that it's a direct drop in as it is 'relocated': https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on

I've been using the bcprov-jdk18on dependency in the project all along, and it hasn't caused any side effects.

@Aiden-777
Copy link
Author

Lately, work's been crazy busy, and I haven't had the time to dive into the latest features. I'm thinking of keeping this issue open for a while; maybe it'll spark some more coding inspiration for other developers. Like, I'm planning to use it for global rate limiting, to prevent excessive consumption of free resources when connecting to public nodes.😄

@jimbogithub
Copy link

@endiaoekoe Would you also consider switching from bcprov-jdk15on to bcprov-jdk18on? You appear to be targeting JDK 1.8 and above so bcprov-jdk18on would be better as it has many resolved CVEs versus bcprov-jdk15on. Note that it's a direct drop in as it is 'relocated': https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on

I've been using the bcprov-jdk18on dependency in the project all along, and it hasn't caused any side effects.

Likewise, but it would be nice to not have to override the transitive dependency. It would be better to have this project depend on bcprov-jdk18on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jimbogithub @endiaoekoe @Aiden-777