SOLR-16562: Upgrade to Caffeine 3.1.2

[risdenk]

https://issues.apache.org/jira/browse/SOLR-16562

This update of Caffeine includes infinite loop checking.

This also upgrades the following:
* SOLR-16579 - Jackson 2.14.1
* SOLR-16578 - errorprone 2.16
* and other minor dependencies based on transitive dependencies.

[risdenk]

Relates to #1118 - the underlying issue w/ infinite loop is mutable Lucene/Solr query classes.

[epugh]

amazing how many files an upgrade touches, however it all LGTM

[fsparv]

Can we fix the typo comment at the top to say woodstox-core 6.4 not 2.4? Also it looks like this happens to address CVE-2022-40152

[risdenk]

Thanks for catching that @fsparv - updated the commit message. Bummer not all dependencies start with 2.x :P

[dsmiley]

Why is this upgrading more than one thing? Pure convenience? Caffeine has no dependencies.

[risdenk]

Why is this upgrading more than one thing? Pure convenience? Caffeine has no dependencies.

https://mvnrepository.com/artifact/com.github.ben-manes.caffeine/caffeine/3.1.2

Caffeine definitely has dependencies. Upgrading Caffeine triggered these dependency updates.

[dsmiley]

RE Caffeine definitely has dependencies: My attempt to show this was looking at gradlew dependencies --configuration runtimeClasspath but I suppose this is flawed, like maybe if the same dependencies come through from multiple paths in the tree. Next time I'll just look at its pom and/or via mvnrepository.com. Thanks.

[risdenk]

yea I'm not even sure I trust the mvnrepository.com output - https://github.com/ben-manes/caffeine/blob/master/gradle/dependencies.gradle shows lots of dependencies at least managed. https://github.com/ben-manes/caffeine/blob/master/caffeine/build.gradle is the limited list just for caffeine library. I wouldn't have guessed these dependencies updates would happen without the consistent versions highlighting it.

FWIW I'm not opposed to splitting the versions.props specific dependency changes (jackson, woodstox, errorprone) into other commits.

[dsmiley]

I have no problem doing a bunch of updates at once so long as it's clear in JIRA & CHANGES.txt that we did so

[ben-manes]

Caffeine has no required dependencies. It does have optional annotations that can be excluded (checker, errorprone) that are compile scoped. The managed dependencies are internal for testing, benchmarks, analysis and should not be in the pom.

The actual bug in solr hasn’t been fixed, so while this is good to fail fast, I am s little concerned that the root problem won’t be addressed.

[ben-manes]

I believe that the managed dependencies in the pom are Gradle constraints added to protect the build itself from exploits. It’s noise that doesn’t impact users, but I’ll look into removing it from the pom as an implementation detail to avoid CI attacks like the codecov breach.

Edit: removed from the published pom for future releases

[ben-manes]

Solr worked around the same issue wrt managed dependencies being unintentionally exported. While this fixes the pom, the gradle module metadata still includes these and, as Gradle prefers that over the pom file, it takes precedence for consumers who use a Gradle build. To resolve that, I switched to not applying constraint to the published configuration, which removed the section from the metadata files.

solr/gradle/maven/defaults-maven.gradle

Lines 152 to 161 in 1a940ad

	pom({
	// LUCENE-9561:
	// Remove dependencyManagement section created by a combination of
	// Palantir and the publishing plugin.
	//
	// https://github.com/palantir/gradle-consistent-versions/issues/550
	withXml {
	asNode().dependencyManagement.replaceNode {}
	}
	})

[risdenk]

Thanks @ben-manes - I decided to separate these upgrades for Jackson and errorprone into separate commits to make it easier to see in solr/CHANGES.txt and not conflate the caffeine upgrade.