Concurrency Dependency Issues

[JanWesterkamp-iJUG]

Hi,
as noted yesterday in the Jakarta EE Platform call, I am creating this issue regarding findings in the jQA dependency analysis we should fix - at least some of them in a service release that could be part of the Jakarta EE 10 release:

• Concurrent 3.0.0 has a dependency to EJB 4.0.0 (provided, should be 4.0.1+) - there is a TODO note in the POM already
• Concurrent 3.0.0 has a dependency to Interceptor 2.0.1 (provided, should be 2.1.0)
• Concurrent 3.0.0 has a dependency to Annotation 2.1.0 (provided, should be 2.1.1)
• Concurrent 3.0.0 has a dependency to CDI 4.0.0 (compile, should be 4.0.1+)
• Concurrent 3.0.0 has a compile (!) dependency to TestNG 6.14.3 that should be none at all or 7.6.0
• Concurrent 3.0.0 has a compile (!) dependency to Arquillian TestNG Container 1.6.0 that should be none at all or may be another scope
• Concurrent 3.0.0 has test dependency to jUnit 4.13.1, which should be none at all or 5.8.2 or at least 4.13.2

While the top 3 issues could be worked around in a platform because they are provided, the CDI dependency is a compile type dependency.
Two of the test dependencies are using compile type dependencies (in the parent) and the jUnit and TestNG (new major release) dependencies are outdated.

At least the test dependencies should be fixed - but may be some of the other issues could be addressed in a new Service(or Patch) Release 3.0.1 and then could be part of Jakarta EE 10.

@smillidge @aubi @arjantijms @breakponchito @starksm64 @ivargrimstad: What do you think?

[arjantijms]

I can update a API pom to take care most of those things I think. I specifically would like to add the flatten plug-in as was done for the Faces pom as well: https://github.com/jakartaee/faces/blob/master/api/pom.xml

[smillidge]

I think the test dependency fix PR is already merged.

[JanWesterkamp-iJUG]

@smillidge the test dependency issues are still in the code:

These dependencies are of compile type instead of test type:

concurrency/pom.xml

Lines 144 to 155 in ab55453

	<dependency>
	<groupId>org.testng</groupId>
	<artifactId>testng</artifactId>
	<version>${testng.version}</version>
	<scope>compile</scope>
	</dependency>
	<dependency>
	<groupId>org.jboss.arquillian.testng</groupId>
	<artifactId>arquillian-testng-container</artifactId>
	<version>${arquillian.version}</version>
	<scope>compile</scope>
	</dependency>

jUnit Version should be 4.13.2, but is 4.13.1:
(

concurrency/api/pom.xml

Line 248 in ab55453

<version>4.13.1</version>

)

Regarding the other issues:
CDI has a compile type dependency too:

concurrency/pom.xml

Lines 139 to 143 in ab55453

	<dependency>
	<groupId>jakarta.enterprise</groupId>
	<artifactId>jakarta.enterprise.cdi-api</artifactId>
	<version>${jakarta.cdi.version}</version>
	</dependency>

Versions of dependencies are declared here and need updates:

concurrency/pom.xml

Lines 85 to 98 in ab55453

	<testng.version>6.14.3</testng.version>
	<arquillian.version>1.6.0.Final</arquillian.version>
	<jakarta.servlet.version>6.0.0</jakarta.servlet.version>
	<!-- TODO update to 4.0.1 -->
	<jakarta.ejb.version>4.0.0</jakarta.ejb.version>
	<jakarta.jsp.version>3.1.0</jakarta.jsp.version>
	<jakarta.annotation.version>2.1.0</jakarta.annotation.version>
	<jakarta.interceptor.version>2.0.1</jakarta.interceptor.version>
	<jakarta.cdi.version>4.0.0</jakarta.cdi.version>

It may be save to not update to the last major update of TestNG now because of potential sied effects.

[JanWesterkamp-iJUG]

Here are the jQA dependecy analysis results for Concurrency 3.0.0

jQA dependency analysis Concurrency 3.0.0 20220622 01.zip

In the csv folder you can find a list of dependent versions and in the plantuml folder are rendered SVG files available for review.

[JanWesterkamp-iJUG]

@arjantijms I ceated a PR for the test dependency issues:
#235

[JanWesterkamp-iJUG]

@arjantijms thanks for merging the PR!

Do we want to address the othere issues too with the upcoming Service Release 3.0.1?

I think updating them to the versions that will be part of the profiles (and part of the environment for testing there) makes sense. Especially CDI 4.0.1 removes the circular dependency and has a compile instead of provided dependency here.
Should we try to fix this dependency type here too?

[JanWesterkamp-iJUG]

@arjantijms, I added a 2nd PR for the other dependency issues:
#236

By the way, there are a lot of warings during the maven run - these are the topics you would like to address with your changes mentioned above?

[arjantijms]

@JanWesterkamp-iJUG I did some initial tidying here: #238

Warnings have been reduced.

[KyleAure]

Took a look through the repository and all of these dependency issues seem to have been resolved, and we now have dependabot working to keep dependencies up to date.