Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated Guice to 7.0.0 and Guava to 32.1.2 #216

Merged
merged 1 commit into from
Sep 28, 2023
Merged

Updated Guice to 7.0.0 and Guava to 32.1.2 #216

merged 1 commit into from
Sep 28, 2023

Conversation

N1k145
Copy link
Contributor

@N1k145 N1k145 commented Sep 27, 2023

Currently, Guice 5 and Guava up to 31 is used in the GLSP Server and Eclipse Integration

These Guava Versions are affected by CVE-2023-2976 classified as a high security risk.
This could be mitigated by updating to Guava 32.0.1 or higher (32.1.2 is part of the 2023-09 SimRel)

The Issue is that Guice 5 has an upper limit of Guava 31 and so an Update to Guice 6 or 7 is necessary.
Xtext already did this update to Guice 7, which is now part of the SimRel

The drawback is that an update to Guice 7 requires changing from javax.inject to jakarta.inject.
Besides that, there are probably no breaking changes that affect GLSP.

The current situation makes is very complicated to use Xtext and GLSP in the same runtime.

@tortmayr
Copy link
Contributor

In general the changes look good to me. However, the maven build does not succeed i I change the target to r2023-09 because DefaultDiagramGlobalScope than requires jakarta.inject which is not defined in the dependencies. Adding `jarkata.inject´ as package dependency seems to fix the issue, but breaks downwards compatibility.

Also the maven build now has some provision warnings:

[WARNING] More information on the preceding warning(s) can be found here:
[WARNING] - https://wiki.eclipse.org/Tycho_Messages_Explained#Mirror_tool
[WARNING] Mirror tool: Problems resolving provisioning plan.: [Unable to satisfy dependency from 202309272050.org.eclipse.glsp.dependencies 1.0.0._8_I7AcMGg--7735I3G93 to org.eclipse.equinox.p2.iu; org.objectweb.asm.util [9.4.0,9.4.0].; Unable to satisfy dependency from 202309272050.org.eclipse.glsp.dependencies 1.0.0._8_I7AcMGg--7735I3G93 to org.eclipse.equinox.p2.iu; org.objectweb.asm.commons [9.4.0,9.4.0].; Unable to satisfy dependency from 202309272050.org.eclipse.glsp.dependencies 1.0.0._8_I7AcMGg--7735I3G93 to org.eclipse.equinox.p2.iu; org.objectweb.asm.tree.analysis [9.4.0,9.4.0].; Unable to satisfy dependency from 202309272050.org.eclipse.glsp.dependencies 1.0.0._8_I7AcMGg--7735I3G93 to org.eclipse.equinox.p2.iu; org.objectweb.asm [9.4.0,9.4.0].; Unable to satisfy dependency from 202309272050.org.eclipse.glsp.dependencies 1.0.0._8_I7AcMGg--7735I3G93 to org.eclipse.equinox.p2.iu; org.objectweb.asm.tree [9.4.0,9.4.0].]
[WARNING] More information on the preceding warning(s) can be found here:
[WARNING] - https://wiki.eclipse.org/Tycho_Messages_Explained#Mirror_tool
[WARNING] Mirror tool: Problems resolving provisioning plan.: [Unable to satisfy dependency from 202309272050.org.eclipse.glsp.dependencies 1.0.0._8_I7AcMGg--7735I3G93 to org.eclipse.equinox.p2.iu; org.objectweb.asm.util [9.4.0,9.4.0].; Unable to satisfy dependency from 202309272050.org.eclipse.glsp.dependencies 1.0.0._8_I7AcMGg--7735I3G93 to org.eclipse.equinox.p2.iu; org.objectweb.asm.commons [9.4.0,9.4.0].; Unable to satisfy dependency from 202309272050.org.eclipse.glsp.dependencies 1.0.0._8_I7AcMGg--7735I3G93 to org.eclipse.equinox.p2.iu; org.objectweb.asm.tree.analysis [9.4.0,9.4.0].; Unable to satisfy dependency from 202309272050.org.eclipse.glsp.dependencies 1.0.0._8_I7AcMGg--7735I3G93 to org.eclipse.equinox.p2.iu; org.objectweb.asm [9.4.0,9.4.0].; Unable to satisfy dependency from 202309272050.org.eclipse.glsp.dependencies 1.0.0._8_I7AcMGg--7735I3G93 to org.eclipse.equinox.p2.iu; org.objectweb.asm.tree [9.4.0,9.4.0].]
[WARNING] More information on the preceding warning(s) can be found here:
[WARNING] - https://wiki.eclipse.org/Tycho_Messages_Explained#Mirror_tool

However, everything still seems to work as expected so maybe we can ignore them for now.

@N1k145
Copy link
Contributor Author

N1k145 commented Sep 28, 2023

@tortmayr I tried a bit around and found a solution for the failing maven build. We can add jakrata.inject as a dependency as long as we define it as optional, and tell Tycho to ignore optional dependencies. Then the build works on both Versions.
Interestingly, running maven from inside of eclipse already worked.

The provisioning warnings I can't figure out, the message tells that there is a dependency on 9.4, which is no longer available, but I can't find where the Version is defined. The 9.5 is included in the Repository as expected.

@tortmayr tortmayr self-requested a review September 28, 2023 08:10
tortmayr
tortmayr approved these changes Sep 28, 2023
View reviewed changes
Copy link
Contributor

@tortmayr tortmayr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.
With the optional dependency everything works as expected.
Let`s ignore the provision warnings for now.

@tortmayr tortmayr merged commit dbfe315 into eclipse-glsp:master Sep 28, 2023
5 checks passed
@N1k145 N1k145 deleted the guice branch September 28, 2023 13:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tortmayr tortmayr tortmayr approved these changes

Assignees
No one assigned
Labels
changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@N1k145 @tortmayr