Upgrade sbt, Play, and various dependencies #94
Conversation
Upgrading sbt addresses the Log4J issue.
| @@ -105,7 +105,7 @@ case class StandardWebApp(versionUrl: String) extends AppSpecifics { | |||
| ) | |||
|
|
|||
| val versionExtractor = { r: WSResponse => | |||
| val values = r.body.lines.map(_.split(':').map(_.trim)).collect { case Array(k, v) => k -> v }.toMap | |||
| val values = r.body.linesIterator.map(_.split(':').map(_.trim)).collect { case Array(k, v) => k -> v }.toMap | |||
| @@ -17,16 +18,16 @@ object ScheduledAgent { | |||
|
|
|||
| class ScheduledAgent[T](initialDelay: FiniteDuration, frequency: FiniteDuration, initialValue: T, block: => Future[T], system: ActorSystem)(implicit ec: ExecutionContext) { | |||
|
|
|||
| val agent = Agent[T](initialValue) | |||
| val agent = new AtomicReference[T](initialValue) | |||
There was a problem hiding this comment.
Akka Agents are deprecated, AtomicReference is a simple substitute.
| lazy val proxyHost = configuration.getOptional[String]("proxyHost") | ||
| lazy val proxyPort = configuration.getOptional[Int]("proxyPort") | ||
|
|
||
| lazy val managementPort = configuration.getInt("managementPort") | ||
| lazy val managementPort = configuration.getOptional[Int]("managementPort") |
There was a problem hiding this comment.
Changes in Play's configuration library introduced with Play 2.6.
| // Until all dependencies are on scala-java8-compat v1.x, this avoids unnecessary fatal eviction errors | ||
| ThisBuild / libraryDependencySchemes += "org.scala-lang.modules" %% "scala-java8-compat" % VersionScheme.Always |
There was a problem hiding this comment.
See eg guardian/maintaining-scala-projects#13, akka/akka#30375, scanamo/scanamo#1285 for explanation about this issue.
| libraryDependencies ++= Seq( | ||
| "com.amazonaws" % "aws-java-sdk" % "1.11.890", |
There was a problem hiding this comment.
This dependency pulls in the whole of the AWS SDK (which has literally hundreds of different jars in it) - it's better to specify just the dependencies you need ("dynamodb", "ec2", "elasticloadbalancing", "s3", "autoscaling", "cloudwatch", "sqs" in this case, added below). This gives a dramatic reduction in overall deployment artifact size - from 249MB to 89MB in this case:
$aws s3 ls --profile deployTools --human-readable "s3://riffraff-artifact/status-app/147/status-app/status-app_1.0_all.deb"
2021-12-14 17:51:32 249.2 MiB status-app_1.0_all.deb
$ aws s3 ls --profile deployTools --human-readable "s3://riffraff-artifact/status-app/149/status-app/status-app_1.0_all.deb"
2021-12-14 17:53:09 89.0 MiB status-app_1.0_all.deb
| specs2 % Test, | ||
| ehcache, | ||
| ws, | ||
| "com.gu.play-googleauth" %% "play-v26" % "1.0.7", | ||
| "com.google.guava" % "guava" % "25.0-jre", //-- added explicitly - snyk report avoid logback vulnerability |
There was a problem hiding this comment.
Not necessary to explicitly specify this Guava dependency any more, at least not to get this version - version 30.1.1-jre is pulled in by other dependencies.
| @@ -5,7 +5,7 @@ | |||
| # ~~~~~ | |||
| # The secret key is used to secure cryptographics functions. | |||
| # If you deploy your application to several instances be sure to use the same key! | |||
| application.secret="QjNS;iFjE;T6rLNZOiB7XUVC]Lo/Q=iDAYhX9W4>0KBad/qTR`trtL3f[geJJIp0" | |||
| play.http.secret.key="QjNS;iFjE;T6rLNZOiB7XUVC]Lo/Q=iDAYhX9W4>0KBad/qTR`trtL3f[geJJIp0" | |||
There was a problem hiding this comment.
This configuration key has changed name over time, play.http.secret.key is the current name.
Note that introducing https://github.com/guardian/play-secret-rotation would probably be a better idea that having this committed to the repository...
prout-bot
added
Pending-on-status.ophan.co.uk
Overdue-on-status.ophan.co.uk
and removed
Pending-on-status.ophan.co.uk
labels
|
Overdue on status.ophan.co.uk (merged by @rtyley 1 hour and 3 seconds ago) What's gone wrong? |
prout-bot
added
Seen-on-status.ophan.co.uk
and removed
Overdue-on-status.ophan.co.uk
labels
|
Seen on status.ophan.co.uk (merged by @rtyley 23 hours, 25 minutes and 1 second ago) Please check your changes! |
Upgrading sbt addresses the Log4J issue, there are various security updates as well going from Play 2.6 to Play 2.8.