Mockito should be a test dependency#1851
Merged
evnm merged 1 commit intodropwizard:masterfrom Dec 9, 2016
Merged
Conversation
Member
|
Thanks for taking care of this. This change is fine, but I question how much of a problem the issue in reality. Neither |
Member
|
@umcodemonkey @evnm I vote for reverting this change. In a correct Dropwizard project, With the applied change of this PR, you now will always have to explicitly add a dependency to Mockito in all projects using |
Member
|
After checking the actual code, this PR seems correct. Sorry for the noise. 😉 |
Contributor
Author
|
To clarify for anyone coming later (thanks @joschi for validating), prior to this change, if you import the @joschi is correct that after this change users will no longer get a transitive dependency on |
ckalista
added a commit
to alphagov/pay-publicapi
that referenced
this pull request
Feb 13, 2018
* Upgraded Dropwizard from 1.0.6 to version 1.2.2: * Since version 1.1.0, Dropwizard dropped dependency to `org.mockito`intentional. The Mockito dependency was only accidentally Maven's "compile" scope and has since moved into the correct "test" scope. See dropwizard/dropwizard#1851 for more details. Dropwizard itself has no dependency on Mockito anymore except for its internal tests, a dependency to the latest stable version 2.15.0 had therefore been added to the project explicitly. Same goes for Guava which was explicitly added at version 24.0-jre. * Removed explicit dependency of jersey version 2.25.1 which is not anymore needed since Dropwizard 1.2.2 which is already ships at that version. Note: jersey 2.25.1 is reported to have a medium vulnerability “XML Entity Expansion (XEE)” which has not yet been addressed in any subsequent version. * Pinned Jackson to version 2.9.4 which has a fix to address a vulnerability detected in version 2.9.1 which would otherwise be pulled by Dropwizard 1.2.2. * Hibernate Validator version 5.4.1.Final pulled down with Dropwizard 1.2.2 is reported to have a “Privilege Escalation” vulnerability issue. Upgrading to 6.0.7.Final as recommended breaks the build due to api incompatibilities. The security issue has to do with Java Security manager which is not been used therefore we are safe to leave it as it is.
ckalista
added a commit
to alphagov/pay-publicapi
that referenced
this pull request
Feb 13, 2018
* Upgraded Dropwizard from 1.0.6 to version 1.2.2: * Since version 1.1.0, Dropwizard dropped dependency to `org.mockito`intentional. The Mockito dependency was only accidentally Maven's "compile" scope and has since moved into the correct "test" scope. See dropwizard/dropwizard#1851 for more details. Dropwizard itself has no dependency on Mockito anymore except for its internal tests, a dependency to the latest stable version 2.15.0 had therefore been added to the project explicitly. Same goes for Guava which was explicitly added at version 24.0-jre. * Removed explicit dependency of jersey version 2.25.1 which is not anymore needed since Dropwizard 1.2.2 which is already ships at that version. Note: jersey 2.25.1 is reported to have a medium vulnerability “XML Entity Expansion (XEE)” which has not yet been addressed in any subsequent version. * Pinned Jackson to version 2.9.4 which has a fix to address a vulnerability detected in version 2.9.1 which would otherwise be pulled by Dropwizard 1.2.2. * Hibernate Validator version 5.4.1.Final pulled down with Dropwizard 1.2.2 is reported to have a “Privilege Escalation” vulnerability issue. Upgrading to 6.0.7.Final as recommended breaks the build due to api incompatibilities. The security issue has to do with Java Security manager which is not been used therefore we are safe to leave it as it is.
ckalista
added a commit
to alphagov/pay-publicapi
that referenced
this pull request
Feb 13, 2018
* Upgraded Dropwizard from 1.0.6 to version 1.2.2: * Since version 1.1.0, Dropwizard dropped dependency to `org.mockito`intentional. The Mockito dependency was only accidentally Maven's "compile" scope and has since moved into the correct "test" scope. See dropwizard/dropwizard#1851 for more details. Dropwizard itself has no dependency on Mockito anymore except for its internal tests, a dependency to the latest stable version 2.15.0 had therefore been added to the project explicitly. Same goes for Guava which was explicitly added at version 24.0-jre. * Removed explicit dependency of jersey version 2.25.1 which is not anymore needed since Dropwizard 1.2.2 which is already ships at that version. Note: jersey 2.25.1 is reported to have a medium vulnerability “XML Entity Expansion (XEE)” which has not yet been addressed in any subsequent version. * Pinned Jackson to version 2.9.4 which has a fix to address a vulnerability detected in version 2.9.1 which would otherwise be pulled by Dropwizard 1.2.2. * Hibernate Validator version 5.4.1.Final pulled down with Dropwizard 1.2.2 is reported to have a “Privilege Escalation” vulnerability issue. Upgrading to 6.0.7.Final as recommended breaks the build due to api incompatibilities. The security issue has to do with Java Security manager which is not been used therefore we are safe to leave it as it is.
ckalista
added a commit
to alphagov/pay-publicauth
that referenced
this pull request
Feb 15, 2018
* Upgraded Dropwizard to version 1.2.2: * Since version 1.1.0, Dropwizard dropped dependency to `org.mockito`intentional. The Mockito dependency was only accidentally Maven's "compile" scope and has since moved into the correct "test" scope. See dropwizard/dropwizard#1851 for details. Since Dropwizard itself has no dependency on Mockito except for its internal tests, a dependency to the latest stable version 2.15.0 had to be added to the project explicitly. * Removed explicit dependency of jersey version 2.25.1 which is not anymore needed since Dropwizard 1.2.2 already ships with that version. Note: jersey 2.25.1 is reported to have a medium vulnerability “XML Entity Expansion (XEE)” which has not yet been addressed in any subsequent version. * Pinned Jackson to version 2.9.4 which has a fix to address a vulnerability detected in version 2.9.1 which would otherwise be pulled by Dropwizard 1.2.2. * Note: Hibernate Validator version 5.4.1.Final pulled down with Dropwizard 1.2.2 is reported to have a “Privilege Escalation” vulnerability issue. Upgrading to 6.0.7.Final as recommended breaks the build due to api incompatibilities. The security issue has to do with Java Security manager which is not been used therefore we are safe to leave it as it is.
ckalista
added a commit
to alphagov/pay-connector
that referenced
this pull request
Feb 20, 2018
* Upgraded Dropwizard to latest version 1.2.2: * Since version 1.1.0, Dropwizard dropped dependency to `org.mockito`intentional. The Mockito dependency was only accidentally Maven's "compile" scope and has since moved into the correct "test" scope. See dropwizard/dropwizard#1851 for details. Since Dropwizard itself has no dependency on Mockito anymore, a dependency had to be added to the project explicitly. * Removed explicit dependency of jersey version 2.25.1 which is not anymore needed since Dropwizard 1.2.2 already ships with that version. Note: jersey 2.25.1 is reported to have a medium vulnerability “XML Entity Expansion (XEE)” which has not yet been addressed in any subsequent version. * Pinned Jackson to version 2.9.4 which has a fix to address a vulnerability detected in version 2.9.1 which would otherwise be pulled by Dropwizard 1.2.2. * Upgraded jetty-util to latest version 9.4.8.v20171121 which addresses VULNERABILITY ARTIFACT SID-4247 (Timing Attack) * NOTE: Hibernate Validator version 5.4.1.Final pulled down with Dropwizard 1.2.2 is reported to have a “Privilege Escalation” vulnerability issue. Upgrading to 6.0.7.Final as recommended breaks the build due to api incompatibilities. The security issue has to do with Java Security manager which is not been used therefore we are safe to leave it as it is.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Mockito is being exposed as a compile dependency to dependents of dropwizard, which may force them to upgrade to Mockito 2 before they are ready.