Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Minor
    • Resolution: Implemented
    • Affects Version/s: Trunk
    • Fix Version/s: 17.12.01
    • Component/s: ALL COMPONENTS
    • Labels:
      None

      Description

      I wondered how up-to-date our project dependencies are and searched for an efficient way how to check this. I found the gradle-versions-plugin [1] which analyzes the dependencies and checks if there are newer versions available.

      I ran the check with

      ./gradlew dependencyUpdates -Drevision=release
      

      and got the following result:

      ------------------------------------------------------------
      : Project Dependency Updates (report to plain text file)
      ------------------------------------------------------------

      The following dependencies are using the latest release version:

      • net.sf.barcode4j:barcode4j:2.1
      • net.sf.barcode4j:barcode4j-fop-ext:2.1
      • org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380
      • org.apache.commons:commons-collections4:4.1
      • com.googlecode.ez-vcard:ez-vcard:0.9.10
      • org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1
      • org.apache.geronimo.components:geronimo-transaction:3.1.4
      • at.bxm.gradleplugins:gradle-svntools-plugin:2.2.1
      • com.github.ben-manes:gradle-versions-plugin:0.15.0
      • org.hamcrest:hamcrest-all:1.3
      • net.fortuna.ical4j:ical4j:1.0-rc3-atlassian-11
      • javax.el:javax.el-api:3.0.1-b04
      • de.odysseus.juel:juel-impl:2.2.7
      • de.odysseus.juel:juel-spi:2.2.7
      • junit:junit:4.12
      • oro:oro:2.0.8
      • apache-xerces:xercesImpl:2.9.1

      The following dependencies exceed the version found at the release revision level:

      • com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer [20160628.1 <- 1.1]

      The following dependencies have later release versions:

      • org.apache.ant:ant-junit [1.9.0 -> 1.10.1]
      • org.apache.ant:ant-junit [1.9.7 -> 1.10.1]
      • org.apache.axis2:axis2-kernel [1.7.1 -> 1.7.6]
      • org.apache.axis2:axis2-transport-http [1.7.1 -> 1.7.6]
      • org.apache.axis2:axis2-transport-local [1.7.1 -> 1.7.6]
      • commons-cli:commons-cli [1.3.1 -> 1.4]
      • org.apache.commons:commons-csv [1.1 -> 1.5]
      • org.apache.commons:commons-dbcp2 [2.1 -> 2.1.1]
      • commons-net:commons-net [3.3 -> 3.6]
      • commons-validator:commons-validator [1.5.1 -> 1.6]
      • com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru [1.0 -> 1.4.2]
      • com.google.zxing:core [3.2.1 -> 3.3.0]
      • org.apache.derby:derby [10.11.1.1 -> 10.13.1.1]
      • org.owasp.esapi:esapi [2.1.0 -> 2.1.0.1]
      • org.apache.xmlgraphics:fop [2.1 -> 2.2]
      • org.freemarker:freemarker [2.3.25-incubating -> 2.3.26-incubating]
      • org.codehaus.groovy:groovy-all [2.4.12 -> 2.5.0-beta-1]
      • org.apache.httpcomponents:httpclient-cache [4.4.1 -> 4.5.3]
      • com.ibm.icu:icu4j [57.1 -> 59.1]
      • com.lowagie:itext [2.1.7 -> 4.2.2]
      • org.zapodot:jackson-databind-java-optional [2.4.2 -> 2.6.1]
      • com.sun.mail:javax.mail [1.5.1 -> 1.6.0]
      • javax.servlet:javax.servlet-api [3.1.0 -> 4.0.0]
      • javax.servlet.jsp:javax.servlet.jsp-api [2.3.0 -> 2.3.2-b02]
      • junit:junit-dep [4.10 -> 4.11]
      • com.googlecode.libphonenumber:libphonenumber [8.6.0 -> 8.8.0]
      • org.apache.logging.log4j:log4j-1.2-api [2.6.2 -> 2.9.0]
      • org.apache.logging.log4j:log4j-api [2.6.2 -> 2.9.0]
      • org.apache.logging.log4j:log4j-core [2.6.2 -> 2.9.0]
      • org.apache.logging.log4j:log4j-jul [2.6.2 -> 2.9.0]
      • org.apache.logging.log4j:log4j-slf4j-impl [2.6.2 -> 2.9.0]
      • org.mockito:mockito-core [1.10.19 -> 2.9.0]
      • org.apache.poi:poi [3.14 -> 3.17-beta1]
      • org.apache.shiro:shiro-core [1.3.0 -> 1.4.0]
      • org.springframework:spring-test [4.2.3.RELEASE -> 4.3.10.RELEASE]
      • org.apache.tika:tika-core [1.12 -> 1.16]
      • org.apache.tika:tika-parsers [1.12 -> 1.16]
      • org.apache.tomcat:tomcat-catalina [8.5.16 -> 9.0.0.M26]
      • org.apache.tomcat:tomcat-catalina-ha [8.5.16 -> 9.0.0.M25]
      • org.apache.tomcat:tomcat-jasper [8.5.16 -> 9.0.0.M26]
      • org.apache.tomcat:tomcat-tribes [8.5.16 -> 9.0.0.M25]
      • wsdl4j:wsdl4j [1.6.2 -> 1.6.3]
      • org.apache.xmlrpc:xmlrpc-client [3.1.2 -> 3.1.3]
      • org.apache.xmlrpc:xmlrpc-server [3.1.2 -> 3.1.3]
      • com.thoughtworks.xstream:xstream [1.4.9 -> 1.4.10]

      Failed to determine the latest version for the following dependencies (use --info for details):

      • com.sun.syndication:com.springsource.com.sun.syndication
      • org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec

      Generated report file build/dependencyUpdates/report.txt
      ===

      If there are no objections, I would try to update the dependencies to the latest release versions, which means I would skip the milestone versions for e.g. Tomcat here.

      We can run this check from time to time to see if we have missed updates to the dependencies.

      What do you think? Is this reasonable?

      Thanks,
      Michael

      [1] https://github.com/ben-manes/gradle-versions-plugin

        Attachments

          Activity

            People

            • Assignee:
              mbrohl Michael Brohl
              Reporter:
              mbrohl Michael Brohl
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: