Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-10213 Update build.gradle to the latest dependencies
  3. OFBIZ-9674

Update build.gradle to the latest dependencies

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Minor
    • Resolution: Implemented
    • Trunk
    • 17.12.01
    • ALL COMPONENTS
    • None

    Description

      I wondered how up-to-date our project dependencies are and searched for an efficient way how to check this. I found the gradle-versions-plugin [1] which analyzes the dependencies and checks if there are newer versions available.

      I ran the check with 

      ./gradlew dependencyUpdates -Drevision=release

      and got the following result:

      ------------------------------------------------------------
      : Project Dependency Updates (report to plain text file)
      ------------------------------------------------------------

      The following dependencies are using the latest release version:

      • net.sf.barcode4j:barcode4j:2.1
      • net.sf.barcode4j:barcode4j-fop-ext:2.1
      • org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380
      • org.apache.commons:commons-collections4:4.1
      • com.googlecode.ez-vcard:ez-vcard:0.9.10
      • org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1
      • org.apache.geronimo.components:geronimo-transaction:3.1.4
      • at.bxm.gradleplugins:gradle-svntools-plugin:2.2.1
      • com.github.ben-manes:gradle-versions-plugin:0.15.0
      • org.hamcrest:hamcrest-all:1.3
      • net.fortuna.ical4j:ical4j:1.0-rc3-atlassian-11
      • javax.el:javax.el-api:3.0.1-b04
      • de.odysseus.juel:juel-impl:2.2.7
      • de.odysseus.juel:juel-spi:2.2.7
      • junit:junit:4.12
      • oro:oro:2.0.8
      • apache-xerces:xercesImpl:2.9.1

      The following dependencies exceed the version found at the release revision level:

      • com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer [20160628.1 <- 1.1]

      The following dependencies have later release versions:

      • org.apache.ant:ant-junit [1.9.0 -> 1.10.1]
      • org.apache.ant:ant-junit [1.9.7 -> 1.10.1]
      • org.apache.axis2:axis2-kernel [1.7.1 -> 1.7.6]
      • org.apache.axis2:axis2-transport-http [1.7.1 -> 1.7.6]
      • org.apache.axis2:axis2-transport-local [1.7.1 -> 1.7.6]
      • commons-cli:commons-cli [1.3.1 -> 1.4]
      • org.apache.commons:commons-csv [1.1 -> 1.5]
      • org.apache.commons:commons-dbcp2 [2.1 -> 2.1.1]
      • commons-net:commons-net [3.3 -> 3.6]
      • commons-validator:commons-validator [1.5.1 -> 1.6]
      • com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru [1.0 -> 1.4.2]
      • com.google.zxing:core [3.2.1 -> 3.3.0]
      • org.apache.derby:derby [10.11.1.1 -> 10.13.1.1]
      • org.owasp.esapi:esapi [2.1.0 -> 2.1.0.1]
      • org.apache.xmlgraphics:fop [2.1 -> 2.2]
      • org.freemarker:freemarker [2.3.25-incubating -> 2.3.26-incubating]
      • org.codehaus.groovy:groovy-all [2.4.12 -> 2.5.0-beta-1]
      • org.apache.httpcomponents:httpclient-cache [4.4.1 -> 4.5.3]
      • com.ibm.icu:icu4j [57.1 -> 59.1]
      • com.lowagie:itext [2.1.7 -> 4.2.2]
      • org.zapodot:jackson-databind-java-optional [2.4.2 -> 2.6.1]
      • com.sun.mail:javax.mail [1.5.1 -> 1.6.0]
      • javax.servlet:javax.servlet-api [3.1.0 -> 4.0.0]
      • javax.servlet.jsp:javax.servlet.jsp-api [2.3.0 -> 2.3.2-b02]
      • junit:junit-dep [4.10 -> 4.11]
      • com.googlecode.libphonenumber:libphonenumber [8.6.0 -> 8.8.0]
      • org.apache.logging.log4j:log4j-1.2-api [2.6.2 -> 2.9.0]
      • org.apache.logging.log4j:log4j-api [2.6.2 -> 2.9.0]
      • org.apache.logging.log4j:log4j-core [2.6.2 -> 2.9.0]
      • org.apache.logging.log4j:log4j-jul [2.6.2 -> 2.9.0]
      • org.apache.logging.log4j:log4j-slf4j-impl [2.6.2 -> 2.9.0]
      • org.mockito:mockito-core [1.10.19 -> 2.9.0]
      • org.apache.poi:poi [3.14 -> 3.17-beta1]
      • org.apache.shiro:shiro-core [1.3.0 -> 1.4.0]
      • org.springframework:spring-test [4.2.3.RELEASE -> 4.3.10.RELEASE]
      • org.apache.tika:tika-core [1.12 -> 1.16]
      • org.apache.tika:tika-parsers [1.12 -> 1.16]
      • org.apache.tomcat:tomcat-catalina [8.5.16 -> 9.0.0.M26]
      • org.apache.tomcat:tomcat-catalina-ha [8.5.16 -> 9.0.0.M25]
      • org.apache.tomcat:tomcat-jasper [8.5.16 -> 9.0.0.M26]
      • org.apache.tomcat:tomcat-tribes [8.5.16 -> 9.0.0.M25]
      • wsdl4j:wsdl4j [1.6.2 -> 1.6.3]
      • org.apache.xmlrpc:xmlrpc-client [3.1.2 -> 3.1.3]
      • org.apache.xmlrpc:xmlrpc-server [3.1.2 -> 3.1.3]
      • com.thoughtworks.xstream:xstream [1.4.9 -> 1.4.10]

      Failed to determine the latest version for the following dependencies (use --info for details):

      • com.sun.syndication:com.springsource.com.sun.syndication
      • org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec

      Generated report file build/dependencyUpdates/report.txt
      ===

      If there are no objections, I would try to update the dependencies to the latest release versions, which means I would skip the milestone versions for e.g. Tomcat here.

      We can run this check from time to time to see if we have missed updates to the dependencies.

      What do you think? Is this reasonable?

      Thanks,
      Michael

      [1] https://github.com/ben-manes/gradle-versions-plugin

      Attachments

        1. OFBIZ-9674_Update_buildgradle.patch
          7 kB
          Julian Leichert

        Activity

          People

            mbrohl Michael Brohl
            mbrohl Michael Brohl
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: