alpine-parent is not available

[markusmuellerusi]

Current Behavior

apline projects are required to be published on maven repo. 2.2.6 is missing.
(no snapshots, real versions)

Steps to Reproduce

1. https://oss.sonatype.org/ has no official version -> https://oss.sonatype.org/#nexus-search;gav~us.springett~alpine-parent~~~~kw,versionexpand
2. https://mvnrepository.com/artifact/us.springett/alpine-executable-war

Expected Behavior

Provide used artefacts in official repos.

Dependency-Track Version

4.11.1

Dependency-Track Distribution

Executable WAR

Database Server

Microsoft SQL Server

Database Server Version

No response

Browser

Microsoft Edge

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

Alpine snapshots are published to the OSSRH snapshot repository, e.g. https://oss.sonatype.org/content/repositories/snapshots/us/springett/alpine-common/

This repository is configured in Dependency-Track's POM:

dependency-track/pom.xml

Lines 142 to 151 in 1f2cc28

	<repositories>
	<repository>
	<id>ossrh-snapshot</id>
	<url>https://oss.sonatype.org/content/repositories/snapshots</url>
	<snapshots>
	<updatePolicy>always</updatePolicy>
	<enabled>true</enabled>
	</snapshots>
	</repository>
	</repositories>

Releasing new versions of Alpine for every single change is currently not practical for us. A new version of Alpine will be released and published to Maven Central when we are certain that it's fully operational and doesn't cause any regressions in DT.

[markusmuellerusi]

Then please publish Alpine 2.2.6. It's missing. I do not really want to use a snapshot. But 2.2.6 has the run-in-transaction, which in used in Dependency-Track 4.11. Thanks in advance and best wishes.

[nscuro]

I get the frustration, in particular when your organization does not allow consumption from external snapshot repositories.

Then please publish Alpine 2.2.6. It's missing. I do not really want to use a snapshot. But 2.2.6 has the run-in-transaction, which in used in Dependency-Track 4.11.

Version 4.11.x of Dependency-Track is using Alpine 2.2.5:

dependency-track/pom.xml

Lines 24 to 28 in a0c5045

	<parent>
	<groupId>us.springett</groupId>
	<artifactId>alpine-parent</artifactId>
	<version>2.2.5</version>
	</parent>

Note that the master branch is used for the next minor version (hence being 4.12.0-SNAPSHOT). We create separate release branches (i.e. 4.11.x as linked above) for backporting any critical bugfixes.

Version 2.2.6 of Alpine will never be released. Due to various larger changes, among them:

• Remove Swagger integration stevespringett/Alpine#567
• Migrate to Jakarta EE 10, Jersey 3.x, and Jetty 12 stevespringett/Alpine#570

2.2.6-SNAPSHOT has been changed to 3.0.0-SNAPSHOT. Dependency-Track 4.12.0-SNAPSHOT has migrated to Alpine 3.0.0-SNAPSHOT via #3730, which was merged yesterday.

[nscuro]

If you want to contribute a bugfix (not a feature), you could base your work on the 4.11.x branch and raise a PR into that. We can then take care of porting the fix to master.

Usually we do it the other way around (backporting from master to 4.11.x), but in the end it doesn't really matter.

[markusmuellerusi]

Thanks a lot for the clarification!

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.