Refactors dependencies #34
Conversation
This commit does the following: - Update various dependencies to latest patch versions - Remove unused dependencies - Remove unused version properties - Remove Spring Boot references in all modules except autoconfigure and samples
This commit removes the directy dependency that was required by the protoc compiler for our samples. The Maven and Gradle now support an option to use an internal annotation which then allows us to remove the deprecated javax.annotation dependency. Background here: grpc/grpc-java#10927
This commit excludes the older protobuf libs `protobuf-java` and `proto-google-common-protos` from the `grpc-protobuf` lib and then explicitly adds back in the dependencies at the desired version in the root pom.xml
| <artifactId>grpc-testing</artifactId> | ||
| </dependency> | ||
|
|
||
| <dependency> |
There was a problem hiding this comment.
We are not using spring-boot-test and ultimately can not use it in the framework lib as we will have chicken-egg once we moving into Spring Boot.
| </scm> | ||
|
|
||
| <dependencies> | ||
| <dependencyManagement> |
There was a problem hiding this comment.
Moved the dep. on SB down into autoconfigure as we will have chicken-egg once we moving into Spring Boot.
| <optional>true</optional> | ||
| </dependency> | ||
|
|
||
| <dependency> |
There was a problem hiding this comment.
This is handled in spring-grpc-core
| <scope>test</scope> | ||
| </dependency> | ||
|
|
||
| <dependency> |
There was a problem hiding this comment.
We just are not using these currently so pulled them out
| <dependencies> | ||
| <dependency> | ||
| <groupId>org.springframework</groupId> | ||
| <artifactId>spring-core</artifactId> |
There was a problem hiding this comment.
Comes in transitively via spring-grpc-core
| <groupId>org.springframework.grpc</groupId> | ||
| <artifactId>spring-grpc-spring-boot-autoconfigure</artifactId> | ||
| <version>${project.version}</version> | ||
| <version>${jackson.version}</version> |
There was a problem hiding this comment.
This used to come in from ROOT/pom.xml depMgmt on spring-boot-dependencies but needs to come out as Spring Boot will not exist in this repo eventually (other than ITs and samples).
| <dependency> | ||
| <groupId>org.springframework.boot</groupId> | ||
| <artifactId>spring-boot-starter-test</artifactId> | ||
| <groupId>org.junit.jupiter</groupId> |
There was a problem hiding this comment.
Again, the chicken-egg w/ SB eventually. We are only currently using Junit in the tests.
2 participants
This PR adds a few commits that:
Clean up dependencies and versions
Remove dependency on javax.annotation
Exclude older protofuf lib from grpc lib
Details
The
protobuf-java3.25.1 has a CVE that is fixed in 3.25.5. I adjusted the versions accordingly in our root pom.xml but noticed that the older 3.25.1 was still being piggy backed in my sample app that is consuming spring-grpc.Prior to commit 2 and 3 you can see that we are bringing in:
After commit 3 you can see that javax.annotation is gone and protobuf-java is at 3.25.5 and grpc-protofbuf is at 1.63.2