Upgrading 32 dependencies on main branch#4305
Conversation
…g-runner to v2.8.4
|
I ran the entire test suite locally and after updating security policy for BouncyCastle upgrade, it all pass. So I'll take this out of draft mode and ready for review, first by Copilot... |
|
I like this innovative approach to dealing with dependencies... It has felt to me like more and more time has been going into dependency management and that it was a Sisyphean task. On other projects that are smaller like Quepid I basically do a two day spasm of updating dependencies, manually test, and then call it good about three times a year ;-). I don't have the intertwined issues that we get in Solr! I wonder if dependency upgrades really need to be in our changelog? If our changelog is for end users, unless a dependency is fixing some big exciting thing, or it's a big new feature, I suspect it's just noise. |
You will see for most changelogs out there, dep upgrades will be a major part of the changelog, and I believe it makes sense. Perhaps more so for libraries such as Solrj. For Solr server it will alert users about whether they can expect a certain bug/cve to be fixed in a given version, which they otherwise would have to scan source code or git to find out. Speaking about SolrJ, since we don't publish it as a separate artifact (should we?), it would perhaps be useful to have a separate changelog section for solrj dependency upgrades. Eh, well folks can see dependencies in maven central too, I don't know.. |
This is the happy-path. Dealing with low hanging fruits. After merging this, there will still be plenty of dep upgrades that did not pass checks, that need manual tweaks, added LICENSE files etc. My thinking is that volunteer can work on each individual problematic solrbot PR to figure out each of them, with or without AI help, and once the PR branch is green, merge it, or gather a bunch of such into a common branch like her. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 300 out of 346 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…v2.42.34 AWS SDK v2.42.34 creates a background thread named response-input-stream-timeout-scheduler whenever getObject() is called without an explicit ResponseTransformer timeout parameter. This thread is not cleaned up promptly, causing ThreadLeakError in tests. Fix by passing ResponseTransformer.toInputStream(Duration.ZERO) to all getObject() calls in S3StorageClient.pullStream() and the S3 test classes, disabling the timeout mechanism that spawns the scheduler thread (see aws/aws-sdk-java-v2#6567). Also remove deprecated @SuppressWarnings("removal") and add .silent() to S3MockRule builders to suppress Spring Boot startup noise in test output.
…v2.42.34 AWS SDK v2.42.34 creates a background thread named response-input-stream-timeout-scheduler whenever getObject() is called without an explicit ResponseTransformer timeout parameter. This thread is not cleaned up promptly, causing ThreadLeakError in tests. Fix by passing ResponseTransformer.toInputStream(Duration.ZERO) to all getObject() calls in S3StorageClient.pullStream() and the S3 test classes, disabling the timeout mechanism that spawns the scheduler thread (see aws/aws-sdk-java-v2#6567). Also remove deprecated @SuppressWarnings("removal") and add .silent() to S3MockRule builders to suppress Spring Boot startup noise in test output. � Conflicts: � solr/modules/s3-repository/src/java/org/apache/solr/s3/S3StorageClient.java
…v2.42.34 AWS SDK v2.42.34 creates a background thread named response-input-stream-timeout-scheduler whenever getObject() is called without an explicit ResponseTransformer timeout parameter. This thread is not cleaned up promptly, causing ThreadLeakError in tests. Fix by passing ResponseTransformer.toInputStream(Duration.ZERO) to all getObject() calls in S3StorageClient.pullStream() and the S3 test classes, disabling the timeout mechanism that spawns the scheduler thread (see aws/aws-sdk-java-v2#6567). Also remove deprecated @SuppressWarnings("removal") and add .silent() to S3MockRule builders to suppress Spring Boot startup noise in test output. � Conflicts: � solr/modules/s3-repository/src/java/org/apache/solr/s3/S3StorageClient.java
- JGit changelog: 7.5.0 -> 7.6.0.202603022253-r (actual resolved version) - Mockito changelog: 5.21.0 -> 5.23.0 (actual resolved version) - checker-qual changelog: 3.53.1 -> 3.54.0 (matches license sha1 file) - onnx version in libs.versions.toml: 1.23.0 -> 1.24.3 (matches license sha1 file) - dropwizard changelog: remove spurious PR#4093 link (manual upgrade, no solrbot PR)
|
@janhoy Was there a specific reason you updated kotlin-datetime to to A bit of the background: some classes were moved to the Kotlin standard library, which caused some conflicts in some libraries. Therefore they had to introduce a compatibility version for consumers that solves any issues of incompatible libraries. More infos can be found here. |
|
That’s an oversight. I thought look at it but forgot. Will change it to 0.7.1, thanks. |
Bulk dependency upgrades: Jetty 12.0.34, Jersey 4, Jakarta Annotations 3, and 29 other deps Upgrades 32 dependencies. Jetty is upgraded to 12.0.34 (latest 12.0.x; 12.1 is a breaking change). Dropwizard-metrics is pinned to 4.2.33 since later versions require Jetty 12.1. Jersey is upgraded to v4.0.2 (major). Jakarta Annotation API is upgraded to v3 (major). Merged solrbot PRs: - #3075 Update netty.tcnative to v2.0.75.Final - #3105 Update checker-qual to v3.54.0 - #3114 Update threetenbp to v1.7.2 - #3129 Update jakarta.annotation-api to v3 (major) - #3131 Update ltgt.errorprone to v5.1.0 (major) - #3293 Update littlerobots.versioncatalogupdate to v1 (major) - #3313 Update kotlinx.coroutines to v1.10.2 - #3422 Update kotlinx-datetime to v0.7.1-0.6.x-compat - #3677 Update bouncycastle to v1.84 - #3681 Update guava to v33.5.0-jre - #3697 Update mockito to v5.23.0 - #3715 Update spotless to v8 (major) - #3733 Update junit-jupiter to v6.0.3 (major) - #3757 Update eclipse.jgit to v7.6.0 - #3794 Update netty to v4.2.12.Final - #3796 Update spotbugs-annotations to v4.9.8 - #3827 Update caffeine to v3.2.3 - #3850 Update commons-codec to v1.21.0 - #3853 Update jersey to v4.0.2 (major) - #3855 Update commons-io to v2.21.0 - #3861 Update commons-cli to v1.11.0 - #3894 Update commons-configuration2 to v2.13.0 - #3917 Update commons-exec to v1.6.0 - #3942 Update apache.opennlp to v2.5.8 - #4092 Update bytebuddy to v1.18.8-jdk5 - #4094 Update AWS SDK to v2.42.34 - #4095 Update jackson-bom to v2.21.2 - #4097 Update openapi.generator to v7.20.0 - #4155 Update carrotsearch.randomizedtesting to v2.8.4 - #4156 Update kotlin-logging to v8 (major) - #4158 Update apache.kafka to v3.9.2 --- Closes #3075, #3105, #3114, #3129, #3131, #3293, #3313, #3422, #3677, #3681, #3697, #3715, #3733, #3757, #3794, #3796, #3827, #3850, #3853, #3855, #3861, #3894, #3917, #3942, #4092, #4094, #4095, #4097, #4155, #4156 and #4158 (cherry picked from commit 7f5c4f2)
|
This PR was backported to branch_9x and thus upgraded diffplug-spotless from 7x to 8x series over there -- a major vesion bump, and that which requires JDK 17. Can you please fix that? |
Spotless on |
|
You are right; sorry. I got confused following the release wizard... I was on branch_10x according to the steps at a certain point but the java version needed to change to execute this command. I guess this is another case for gradle toolchains. |
Bulk dependency upgrade for main branch. Asked Claude to merge all "clean" solrbot PRs for main into this feature branch. There will be another batch of "clean" upgrades later.
This PR also "manually" upgrades Jetty to 12.0.34 (latest 12.0.x version as 12.1 is breaking chage), and dropwizard-metrics to 4.2.33 (since later will require Jetty 12.1). The solrbot PR branches merged into this are the following:
Resolves #3075, #3105, #3114, #3129, #3131, #3293, #3313, #3422, #3677, #3681, #3697, #3715, #3733, #3757, #3794, #3796, #3827, #3850, #3853, #3855, #3861, #3894, #3917, #3942, #4092, #4094, #4095, #4097, #4155, #4156 and #4158