Skip to content

fix: update and simplify dependencies, NOTE: jnit4 and commons-lang r…#351

Merged
akafredperry merged 2 commits intotrunkfrom
dependencies_update
Feb 4, 2026
Merged

fix: update and simplify dependencies, NOTE: jnit4 and commons-lang r…#351
akafredperry merged 2 commits intotrunkfrom
dependencies_update

Conversation

@akafredperry
Copy link
Copy Markdown
Collaborator

@akafredperry akafredperry commented Feb 4, 2026

- What I did
Updated the maven POMs with the most up to date vulnerability free dependency versions that can be used with JDK 8

closes #341

- How I did it

  • Removed apache commons-lang
  • Removed all use of JUnit 4
  • Upgrade to Cucumber Junit5
  • Updated versions in parent POM
  • Compared the output of **mvn dependency:list -Dsort=true ** with that of trunk
  • Double checked https://ossindex.sonatype.org
  • Migrated unit tests that were "hitting" the prod root server to integration tests and switch to use virtual env

- How to verify it
github CI jobs will run all unit and integration tests
But change can be tested by checking out and running this command from the top level

mvn clean install

This is a summary of the upgrade

$ diff target/old-compile-dependencies.txt  target/new-compile-dependencies.txt 
30,38c30,36
< [INFO]    com.fasterxml.jackson.core:jackson-annotations:jar:2.14.0:compile
< [INFO]    com.fasterxml.jackson.core:jackson-core:jar:2.15.0:compile
< [INFO]    com.fasterxml.jackson.core:jackson-databind:jar:2.14.0:compile
< [INFO]    com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.14.0:compile
< [INFO]    info.picocli:picocli:jar:4.7.0:compile
< [INFO]    org.apache.commons:commons-lang3:jar:3.18.0:compile
< [INFO]    org.bouncycastle:bcprov-jdk15to18:jar:1.78:compile
< [INFO]    org.slf4j:slf4j-api:jar:2.0.7:compile
< [INFO]    org.yaml:snakeyaml:jar:1.33:compile
---
> [INFO]    com.fasterxml.jackson.core:jackson-annotations:jar:2.15.4:compile
> [INFO]    com.fasterxml.jackson.core:jackson-core:jar:2.15.4:compile
> [INFO]    com.fasterxml.jackson.core:jackson-databind:jar:2.15.4:compile
> [INFO]    com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.15.4:compile
> [INFO]    info.picocli:picocli:jar:4.7.6:compile
> [INFO]    org.bouncycastle:bcprov-jdk15to18:jar:1.78.1:compile
> [INFO]    org.yaml:snakeyaml:jar:2.1:compile
48,53c46,50
< [INFO]    com.fasterxml.jackson.core:jackson-annotations:jar:2.14.0:compile
< [INFO]    com.fasterxml.jackson.core:jackson-core:jar:2.15.0:compile
< [INFO]    com.fasterxml.jackson.core:jackson-databind:jar:2.14.0:compile
< [INFO]    com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.14.0:compile
< [INFO]    info.picocli:picocli:jar:4.7.0:compile
< [INFO]    org.apache.commons:commons-lang3:jar:3.18.0:compile
---
> [INFO]    com.fasterxml.jackson.core:jackson-annotations:jar:2.15.4:compile
> [INFO]    com.fasterxml.jackson.core:jackson-core:jar:2.15.4:compile
> [INFO]    com.fasterxml.jackson.core:jackson-databind:jar:2.15.4:compile
> [INFO]    com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.15.4:compile
> [INFO]    info.picocli:picocli:jar:4.7.6:compile
55c52
< [INFO]    org.bouncycastle:bcprov-jdk15to18:jar:1.78:compile
---
> [INFO]    org.bouncycastle:bcprov-jdk15to18:jar:1.78.1:compile
57,58c54
< [INFO]    org.slf4j:slf4j-api:jar:2.0.7:compile
< [INFO]    org.yaml:snakeyaml:jar:1.33:compile
---
> [INFO]    org.yaml:snakeyaml:jar:2.1:compile
68,71c64,67
< [INFO]    com.fasterxml.jackson.core:jackson-annotations:jar:2.14.0:compile
< [INFO]    com.fasterxml.jackson.core:jackson-core:jar:2.15.0:compile
< [INFO]    com.fasterxml.jackson.core:jackson-databind:jar:2.14.0:compile
< [INFO]    com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.14.0:compile
---
> [INFO]    com.fasterxml.jackson.core:jackson-annotations:jar:2.15.4:compile
> [INFO]    com.fasterxml.jackson.core:jackson-core:jar:2.15.4:compile
> [INFO]    com.fasterxml.jackson.core:jackson-databind:jar:2.15.4:compile
> [INFO]    com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.15.4:compile
74,75c70
< [INFO]    info.picocli:picocli:jar:4.7.0:compile
< [INFO]    org.apache.commons:commons-lang3:jar:3.18.0:compile
---
> [INFO]    info.picocli:picocli:jar:4.7.6:compile
77,79c72,74
< [INFO]    org.bouncycastle:bcprov-jdk15to18:jar:1.78:compile
< [INFO]    org.slf4j:slf4j-api:jar:2.0.7:compile
< [INFO]    org.yaml:snakeyaml:jar:1.33:compile
---
> [INFO]    org.bouncycastle:bcprov-jdk15to18:jar:1.78.1:compile
> [INFO]    org.slf4j:slf4j-api:jar:2.0.9:compile
> [INFO]    org.yaml:snakeyaml:jar:2.1:compile
89,94c84,88
< [INFO]    com.fasterxml.jackson.core:jackson-annotations:jar:2.14.0:compile
< [INFO]    com.fasterxml.jackson.core:jackson-core:jar:2.15.0:compile
< [INFO]    com.fasterxml.jackson.core:jackson-databind:jar:2.14.0:compile
< [INFO]    com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.14.0:compile
< [INFO]    info.picocli:picocli:jar:4.7.0:compile
< [INFO]    org.apache.commons:commons-lang3:jar:3.18.0:compile
---
> [INFO]    com.fasterxml.jackson.core:jackson-annotations:jar:2.15.4:compile
> [INFO]    com.fasterxml.jackson.core:jackson-core:jar:2.15.4:compile
> [INFO]    com.fasterxml.jackson.core:jackson-databind:jar:2.15.4:compile
> [INFO]    com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.15.4:compile
> [INFO]    info.picocli:picocli:jar:4.7.6:compile
96,99c90,93
< [INFO]    org.bouncycastle:bcprov-jdk15to18:jar:1.78:compile
< [INFO]    org.slf4j:slf4j-api:jar:2.0.7:compile
< [INFO]    org.slf4j:slf4j-simple:jar:2.0.7:compile
< [INFO]    org.yaml:snakeyaml:jar:1.33:compile
---
> [INFO]    org.bouncycastle:bcprov-jdk15to18:jar:1.78.1:compile
> [INFO]    org.slf4j:slf4j-api:jar:2.0.9:compile
> [INFO]    org.slf4j:slf4j-simple:jar:2.0.9:compile
> [INFO]    org.yaml:snakeyaml:jar:2.1:compile

Vulnerabilities can be checked with these URLS
https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.15.4
https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.4
https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.4
https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml@2.15.4
https://ossindex.sonatype.org/component/pkg:maven/info.picocli/picocli@4.7.6
https://ossindex.sonatype.org/component/pkg:maven/org.bouncycastle/bcprov-jdk15to18@1.78.1
https://ossindex.sonatype.org/component/pkg:maven/org.yaml/snakeyaml@2.1

- Description for the changelog
upgraded all jar dependencies to most recent vulnerability free version - removed commons-lang

JeremyTubongbanua
JeremyTubongbanua approved these changes Feb 4, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@JeremyTubongbanua JeremyTubongbanua left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@akafredperry akafredperry merged commit 012c5e1 into trunk Feb 4, 2026
4 checks passed
@akafredperry akafredperry deleted the dependencies_update branch April 9, 2026 15:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JeremyTubongbanua JeremyTubongbanua JeremyTubongbanua approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Address the reported vulnerabilities for dependencies

2 participants

@akafredperry @JeremyTubongbanua