-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NEXUS-30879 - Update various dependencies to latest versions #96
Conversation
@@ -245,13 +245,13 @@ | |||
<dependency> | |||
<groupId>com.thoughtworks.xstream</groupId> | |||
<artifactId>xstream</artifactId> | |||
<version>1.4.7</version> | |||
<version>1.4.19</version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per #91 I don't think we can make this change directly here, as it will fail without making the updates to the XStream instance. Since that's declared elsewhere, let's skip this one for now and accept the others.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In 5203377 I updated the NXRM 2 dependency, which includes the changes to the XStream instance. I think we can keep this upgrade in place.
This PR breaks the plugin sadly. Declaring maven-core provided is nice, but did you consider the consequences? |
@cstamas thanks for chiming in - I'm unaware of the consequences. I recall seeing a warning in the build about the maven dependencies being declared as compile dependencies, along with the recommendation to switch the scope to provided. Any tips would be appreciated. |
Simplest but ugliest fix: put back maven-core (and other maven deps) into compile scope and live with warning at build time. Proper fix: enlist all the maven dependencies you use/require in POM (this is the best practice anyway), and do not rely that "core will give you them transitively" (is not when provided!). But there is a twist: given original SecDispatcher went dead (https://github.com/sonatype/plexus-sec-dispatcher and https://github.com/sonatype/plexus-cipher), it was "adopted" and updated by Plexus GH org (https://github.com/codehaus-plexus/plexus-sec-dispatcher and https://github.com/codehaus-plexus/plexus-cipher) and hence, it's GAV changed among Maven dependencies (between 3.8.2 and 3.8.3). Best solution would be if you declare direct dependency on org.codehaus.plexus:plexus-sec-dispatcher:2.0. Relevant change present in Maven 3.8.3 (and 3.8.4): apache/maven@c76c9d9 Finally, please up the maven version you compile against, 3.0.4 was EONS ago (exactly 10 years ago). ASF Maven project itself ups maven dep on plugins to 3.2.5+. Make it at least Maven 3.1.x. Also, please take this above with a grain of salt, as best would be to test plugin with Maven versions intended to be used with. Errors reported by users to us (w/ Maven 3.8.4):
1.6.10: after connecting
1.6.11 after connecting
|
Thanks for the tips @cstamas I'll track this down. My thinking is to first try to revert the provided scope changes to make a 1.6.x patch release, then look towards the larger changes for a 1.7.x, wdyt? |
Following suggestion from #96 (comment).
Looks like I pushed up a branch (https://github.com/sonatype/nexus-maven-plugins/tree/maven-scope) with that workaround; builds and tests locally, but there is definitely a lack of e2e tests that would help clarify if it fully addresses the issues. |
@@ -91,7 +93,7 @@ | |||
<dependency> | |||
<groupId>com.google.guava</groupId> | |||
<artifactId>guava</artifactId> | |||
<version>14.0.1</version> | |||
<version>31.0.1-jre</version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because of this I seem to be running into https://issues.sonatype.org/browse/NEXUS-23594
[INFO] Uploaded to ossrh: https://s01.oss.sonatype.org:443/service/local/staging/deployByRepositoryId/iogithubgitflow-incremental-builder-1000/io/github/gitflow-incremental-builder/gitflow-incremental-builder/4.0.0/gitflow-incremental-builder-4.0.0-sources.jar.asc (499 B at 2.0 kB/s)
[INFO] [INFO] * Upload of locally staged artifacts finished.
[INFO] [INFO] * Closing staging repository with ID "iogithubgitflow-incremental-builder-1000".
[INFO] [INFO] ------------------------------------------------------------------------
[INFO] [INFO] BUILD FAILURE
[INFO] [INFO] ------------------------------------------------------------------------
[INFO] [INFO] Total time: 01:54 min
[INFO] [INFO] Finished at: 2022-02-21T00:43:24+01:00
[INFO] [INFO] ------------------------------------------------------------------------
[INFO] [ERROR] Failed to execute goal org.sonatype.plugins:nexus-staging-maven-plugin:1.6.11:deploy (injected-nexus-deploy) on project gitflow-incremental-builder: Execution injected-nexus-deploy of goal org.sonatype.plugins:nexus-staging-maven-plugin:1.6.11:deploy failed: An API incompatibility was encountered while executing org.sonatype.plugins:nexus-staging-maven-plugin:1.6.11:deploy: java.lang.IllegalAccessError: class com.sonatype.nexus.staging.client.internal.StagingWorkflowV3ServiceImpl tried to access method 'void com.google.common.base.Stopwatch.<init>()' (com.sonatype.nexus.staging.client.internal.StagingWorkflowV3ServiceImpl and com.google.common.base.Stopwatch are in unnamed module of loader org.codehaus.plexus.classworlds.realm.ClassRealm @64030b91)
[INFO] [ERROR] -----------------------------------------------------
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@famod please try release 1.6.12, I believe the issue is addressed in that release.
No description provided.