Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-9674

Update build.gradle to the latest dependencies

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Implemented
    • Affects Version/s: Trunk
    • Fix Version/s: Upcoming Release
    • Component/s: ALL COMPONENTS
    • Labels:
      None

      Description

      I wondered how up-to-date our project dependencies are and searched for an efficient way how to check this. I found the gradle-versions-plugin [1] which analyzes the dependencies and checks if there are newer versions available.

      I ran the check with

      ./gradlew dependencyUpdates -Drevision=release
      

      and got the following result:

      ------------------------------------------------------------
      : Project Dependency Updates (report to plain text file)
      ------------------------------------------------------------

      The following dependencies are using the latest release version:

      • net.sf.barcode4j:barcode4j:2.1
      • net.sf.barcode4j:barcode4j-fop-ext:2.1
      • org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380
      • org.apache.commons:commons-collections4:4.1
      • com.googlecode.ez-vcard:ez-vcard:0.9.10
      • org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1
      • org.apache.geronimo.components:geronimo-transaction:3.1.4
      • at.bxm.gradleplugins:gradle-svntools-plugin:2.2.1
      • com.github.ben-manes:gradle-versions-plugin:0.15.0
      • org.hamcrest:hamcrest-all:1.3
      • net.fortuna.ical4j:ical4j:1.0-rc3-atlassian-11
      • javax.el:javax.el-api:3.0.1-b04
      • de.odysseus.juel:juel-impl:2.2.7
      • de.odysseus.juel:juel-spi:2.2.7
      • junit:junit:4.12
      • oro:oro:2.0.8
      • apache-xerces:xercesImpl:2.9.1

      The following dependencies exceed the version found at the release revision level:

      • com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer [20160628.1 <- 1.1]

      The following dependencies have later release versions:

      • org.apache.ant:ant-junit [1.9.0 -> 1.10.1]
      • org.apache.ant:ant-junit [1.9.7 -> 1.10.1]
      • org.apache.axis2:axis2-kernel [1.7.1 -> 1.7.6]
      • org.apache.axis2:axis2-transport-http [1.7.1 -> 1.7.6]
      • org.apache.axis2:axis2-transport-local [1.7.1 -> 1.7.6]
      • commons-cli:commons-cli [1.3.1 -> 1.4]
      • org.apache.commons:commons-csv [1.1 -> 1.5]
      • org.apache.commons:commons-dbcp2 [2.1 -> 2.1.1]
      • commons-net:commons-net [3.3 -> 3.6]
      • commons-validator:commons-validator [1.5.1 -> 1.6]
      • com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru [1.0 -> 1.4.2]
      • com.google.zxing:core [3.2.1 -> 3.3.0]
      • org.apache.derby:derby [10.11.1.1 -> 10.13.1.1]
      • org.owasp.esapi:esapi [2.1.0 -> 2.1.0.1]
      • org.apache.xmlgraphics:fop [2.1 -> 2.2]
      • org.freemarker:freemarker [2.3.25-incubating -> 2.3.26-incubating]
      • org.codehaus.groovy:groovy-all [2.4.12 -> 2.5.0-beta-1]
      • org.apache.httpcomponents:httpclient-cache [4.4.1 -> 4.5.3]
      • com.ibm.icu:icu4j [57.1 -> 59.1]
      • com.lowagie:itext [2.1.7 -> 4.2.2]
      • org.zapodot:jackson-databind-java-optional [2.4.2 -> 2.6.1]
      • com.sun.mail:javax.mail [1.5.1 -> 1.6.0]
      • javax.servlet:javax.servlet-api [3.1.0 -> 4.0.0]
      • javax.servlet.jsp:javax.servlet.jsp-api [2.3.0 -> 2.3.2-b02]
      • junit:junit-dep [4.10 -> 4.11]
      • com.googlecode.libphonenumber:libphonenumber [8.6.0 -> 8.8.0]
      • org.apache.logging.log4j:log4j-1.2-api [2.6.2 -> 2.9.0]
      • org.apache.logging.log4j:log4j-api [2.6.2 -> 2.9.0]
      • org.apache.logging.log4j:log4j-core [2.6.2 -> 2.9.0]
      • org.apache.logging.log4j:log4j-jul [2.6.2 -> 2.9.0]
      • org.apache.logging.log4j:log4j-slf4j-impl [2.6.2 -> 2.9.0]
      • org.mockito:mockito-core [1.10.19 -> 2.9.0]
      • org.apache.poi:poi [3.14 -> 3.17-beta1]
      • org.apache.shiro:shiro-core [1.3.0 -> 1.4.0]
      • org.springframework:spring-test [4.2.3.RELEASE -> 4.3.10.RELEASE]
      • org.apache.tika:tika-core [1.12 -> 1.16]
      • org.apache.tika:tika-parsers [1.12 -> 1.16]
      • org.apache.tomcat:tomcat-catalina [8.5.16 -> 9.0.0.M26]
      • org.apache.tomcat:tomcat-catalina-ha [8.5.16 -> 9.0.0.M25]
      • org.apache.tomcat:tomcat-jasper [8.5.16 -> 9.0.0.M26]
      • org.apache.tomcat:tomcat-tribes [8.5.16 -> 9.0.0.M25]
      • wsdl4j:wsdl4j [1.6.2 -> 1.6.3]
      • org.apache.xmlrpc:xmlrpc-client [3.1.2 -> 3.1.3]
      • org.apache.xmlrpc:xmlrpc-server [3.1.2 -> 3.1.3]
      • com.thoughtworks.xstream:xstream [1.4.9 -> 1.4.10]

      Failed to determine the latest version for the following dependencies (use --info for details):

      • com.sun.syndication:com.springsource.com.sun.syndication
      • org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec

      Generated report file build/dependencyUpdates/report.txt
      ===

      If there are no objections, I would try to update the dependencies to the latest release versions, which means I would skip the milestone versions for e.g. Tomcat here.

      We can run this check from time to time to see if we have missed updates to the dependencies.

      What do you think? Is this reasonable?

      Thanks,
      Michael

      [1] https://github.com/ben-manes/gradle-versions-plugin

        Activity

        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        Hi Michael,

        That sounds like a quite interesting approach

        Show
        jacques.le.roux Jacques Le Roux added a comment - Hi Michael, That sounds like a quite interesting approach
        Hide
        mbrohl Michael Brohl added a comment -

        Ok, there are no objections and a positive response from Jacques. We are going to implement this and provide a patch for the suggested upgrades soon.

        Show
        mbrohl Michael Brohl added a comment - Ok, there are no objections and a positive response from Jacques. We are going to implement this and provide a patch for the suggested upgrades soon.
        Hide
        jleichert Julian Leichert added a comment -

        I created a patch to update the dependencies in the build.gradle, as mentioned above.

        Show
        jleichert Julian Leichert added a comment - I created a patch to update the dependencies in the build.gradle, as mentioned above.
        Hide
        jleichert Julian Leichert added a comment -
        • Changed itext dependency to 4.2.0
        Show
        jleichert Julian Leichert added a comment - Changed itext dependency to 4.2.0
        Hide
        jleichert Julian Leichert added a comment -
        • removed gradle-versions-plugin from patch file
        Show
        jleichert Julian Leichert added a comment - removed gradle-versions-plugin from patch file
        Hide
        jleichert Julian Leichert added a comment -
        • changed Version in FreeMarkerWorker to 2.3.26
        Show
        jleichert Julian Leichert added a comment - changed Version in FreeMarkerWorker to 2.3.26
        Hide
        mbrohl Michael Brohl added a comment -

        Thanks Julian,

        your patch is in trunk r1812161.

        Show
        mbrohl Michael Brohl added a comment - Thanks Julian, your patch is in trunk r1812161.

          People

          • Assignee:
            mbrohl Michael Brohl
            Reporter:
            mbrohl Michael Brohl
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development