UNOMI-875: PR2 dependency hygiene (E1 + E2)#795
Merged
Conversation
Resolve Dependabot advisories for decode-uri-component, json5, semver, and upgrade Babel toolchain.
Addresses Dependabot #634 in the GraphiQL UI module.
Align root kafka-client.version with Dependabot #674; kafka-injector uses BOM-managed version.
Align root log4j.version with Dependabot #692 across BOM-managed modules.
Log4j 2.24 embeds two OSGi activators; remove the header so the Felix bundle plugin can build.
Log4j 2.24 JARs carry conflicting Bundle-Activator headers when embedded; use platform log4j instead.
Use frontend-maven-plugin 2.0.1, Node v22.19.0, and Yarn 1.22.22 from root pom; remove per-module plugin version drift.
… build. core-js-compat requires semver 7 subpaths; blanket resolutions break webpack/babel-loader.
…olution, fix poll(Duration). - graphql-ui: bump @babel/core|preset-env|preset-react ^7.10.4 → ^7.24.0 - graphql-ui: remove **/postcss 7.0.39 resolution (direct dep already at ^8.4.28) - kafka-injector: replace deprecated KafkaConsumer.poll(long) with poll(Duration)
… testMultiTenantIsolation. The cache-refresh scheduler fires every 1 000 ms and runs processGroovyActionForCache() under the type-refresh write lock. The old remove() stripped the entry from scriptMetadataCacheByTenant before calling removeItem(), so a concurrent refresh could re-insert the entry between that early removal and the locked persistence delete, leaving getCompiledScript() with a stale class reference. Fix: add a protected onItemRemoved() hook to AbstractMultiTypeCachingService that is invoked inside removeItem() while the read lock is held (mutually exclusive with the refresh write lock). GroovyActionsServiceImpl overrides this hook to remove from scriptMetadataCacheByTenant, guaranteeing the entry is gone by the time any subsequent getCompiledScript() call runs.
Bump checkout and setup-java to v5 and upload-artifact to v6 so CI jobs no longer run node20 actions on forced node24 runners.
Log4j 2.24.0 breaks the Elasticsearch client OSGi bundle. Defer #692 with the platform upgrade in PR3.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Plain-language summary
This PR updates libraries and build tools used by Unomi before the 3.1 release. It fixes known security issues in npm packages and the Kafka client, moves the front-end build to a supported Node version, and removes CI warnings about old GitHub Actions runtimes.
It also fixes small bugs found while testing: a race in Groovy action cache cleanup and a Kafka API change after the client bump.
Log4j and OpenCSV are not included. Log4j 2.24.0 was tried but broke the Elasticsearch client OSGi bundle, so it stays at 2.19.0 until PR3 (Karaf + ES/OS + log4j upgrade).
What changed
Front-end (E1)
extensions/web-tracker/wab: upgrade Babel to 7.24; pin vulnerable npm packages via yarn resolutions (Dependabot Bump decode-uri-component from 0.2.0 to 0.2.2 in /extensions/web-tracker/wab #554, Bump json5 from 2.2.1 to 2.2.3 in /extensions/web-tracker/wab #566, Bump semver from 6.3.0 to 6.3.1 in /extensions/web-tracker/wab #635, Bump @babel/traverse from 7.19.1 to 7.24.7 in /extensions/web-tracker/wab #671).graphql/graphql-ui: upgrade Babel to 7.24; remove stale postcss resolution; do not pin semver to 5.7.2 globally — that broke the webpack build (Babel needs semver 7).Build toolchain
pom.xml:frontend-maven-plugin1.12.1 → 2.0.1, Node v16.20.2 → v22.19.0, Yarn v1.22.19 → v1.22.22.pom.xmlfiles for wab and graphql-ui inherit these versions (no local overrides).Java libraries (E2)
kafka-client: 2.2.1 → 2.6.3 (Bump org.apache.kafka:kafka-clients from 2.2.1 to 2.6.3 in /plugins/kafka-injector #674).Fixes found during the upgrade
plugins/kafka-injector: usepoll(Duration)instead of the removedpoll(long)API.GroovyActionsServiceImpl: fix a race between cache refresh and remove in multi-tenant Groovy actions (stale script could stay in memory).CI
checkout@v5,setup-java@v5,upload-artifact@v6.Deferred to PR3 (Karaf + ES/OS + log4j)
log4j2.24.0 (Bump org.apache.logging.log4j:log4j-1.2-api from 2.17.0 to 2.24.0 #692) — tried on this branch; broke ES client OSGi bundle; reverted to 2.19.0.Skipped / already OK
Test plan
yarn buildinextensions/web-tracker/wabyarn buildingraphql/graphql-uimvn -pl graphql/graphql-ui -am generate-resourcesmvn -pl persistence-elasticsearch/core -am -DskipTests package(after log4j revert)./build.sh --ci(local)References
UNOMI-875 · Dependabot #554, #566, #635, #671, #674