[jira] [Assigned] (SLING-11158) The starter's "Start Sling" instructions don't work with feature launcher v1.1.28 or later
[ https://issues.apache.org/jira/browse/SLING-11158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eric Norman reassigned SLING-11158: --- Assignee: Eric Norman > The starter's "Start Sling" instructions don't work with feature launcher > v1.1.28 or later > -- > > Key: SLING-11158 > URL: https://issues.apache.org/jira/browse/SLING-11158 > Project: Sling > Issue Type: Bug >Affects Versions: Feature Model Launcher 1.1.28, Feature Model Launcher > 1.2.0 >Reporter: Eric Norman >Assignee: Eric Norman >Priority: Major > Fix For: Feature Launcher Maven Plugin 0.1.4, Starter 13 > > Time Spent: 1h 20m > Remaining Estimate: 0h > > After the SLING-10956 changes, launching the Starter with the README provided > instructions while using the v1.1.28 or later feature launcher does not work > anymore. > For example, > {noformat} > $ java -jar target/dependency/org.apache.sling.feature.launcher.jar -f > target/slingfeature-tmp/feature-oak_tar.json > Error: Unable to initialize main class > org.apache.sling.feature.launcher.impl.Main > Caused by: java.lang.NoClassDefFoundError: > org/apache/commons/cli/ParseException{noformat} > > Also, the start goal of the feature-launcher-maven-plugin fails with the same > exception when paired with a featureLauncherVersion of 1.1.28 or later. > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[GitHub] [sling-org-apache-sling-app-cms] dependabot[bot] opened a new pull request, #13: Bump minimist from 1.2.5 to 1.2.6 in /ui
dependabot[bot] opened a new pull request, #13: URL: https://github.com/apache/sling-org-apache-sling-app-cms/pull/13 Bumps [minimist](https://github.com/substack/minimist) from 1.2.5 to 1.2.6. Commits https://github.com/substack/minimist/commit/7efb22a518b53b06f5b02a1038a88bd6290c2846;>7efb22a 1.2.6 https://github.com/substack/minimist/commit/ef88b9325f77b5ee643ccfc97e2ebda577e4c4e2;>ef88b93 security notice for additional prototype pollution issue https://github.com/substack/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d;>c2b9819 isConstructorOrProto adapted from PR https://github.com/substack/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb;>bc8ecee test from prototype pollution PR See full diff in https://github.com/substack/minimist/compare/1.2.5...1.2.6;>compare view [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=minimist=npm_and_yarn=1.2.5=1.2.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/sling-org-apache-sling-app-cms/network/alerts). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [VOTE] Release Apache Sling JSPC Maven Plugin 2.3.4
+1 regards, Karl On Mon, Apr 11, 2022 at 4:13 PM Radu Cotescu wrote: > > +1 > > > On 8 Apr 2022, at 17:35, Radu Cotescu wrote: > > > > Please vote to approve this release: > > > > [ ] +1 Approve the release > > [ ] 0 Don't care > > [ ] -1 Don't release, because ... > -- Karl Pauls karlpa...@gmail.com
[GitHub] [sling-org-apache-sling-starter] rombert merged pull request #65: Update composum to version 4.1.1
rombert merged PR #65: URL: https://github.com/apache/sling-org-apache-sling-starter/pull/65 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-starter] sonarcloud[bot] commented on pull request #65: Update composum to version 4.1.1
sonarcloud[bot] commented on PR #65: URL: https://github.com/apache/sling-org-apache-sling-starter/pull/65#issuecomment-1095135712 Kudos, SonarCloud Quality Gate passed! [![Quality Gate passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/passed-16px.png 'Quality Gate passed')](https://sonarcloud.io/dashboard?id=apache_sling-org-apache-sling-starter=65) [![Bug](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/bug-16px.png 'Bug')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter=65=false=BUG) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter=65=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter=65=false=BUG) [![Vulnerability](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/vulnerability-16px.png 'Vulnerability')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter=65=false=VULNERABILITY) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter=65=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter=65=false=VULNERABILITY) [![Security Hotspot](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/security_hotspot-16px.png 'Security Hotspot')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-starter=65=false=SECURITY_HOTSPOT) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-starter=65=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-starter=65=false=SECURITY_HOTSPOT) [![Code Smell](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/code_smell-16px.png 'Code Smell')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter=65=false=CODE_SMELL) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter=65=false=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter=65=false=CODE_SMELL) [![No Coverage information](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/CoverageChart/NoCoverageInfo-16px.png 'No Coverage information')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-starter=65) No Coverage information [![0.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/Duplications/3-16px.png '0.0%')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-starter=65=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-starter=65=new_duplicated_lines_density=list) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (SLING-11240) Content packages with invalid Long properties cause index definition extraction to fail
[ https://issues.apache.org/jira/browse/SLING-11240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17520612#comment-17520612 ] Robert Munteanu commented on SLING-11240: - [~kwin] - I have lost track of what happens with this kind of input in the processing pipeline I'm using at the moment :-) I fully agree that we should prevent invalid content packages from advancing, and earlier is better. At the same time, I did not see any problems with this package, except for the changes I introduced. So I'd be hesistant to add more validation, or at least if FileVault becomes more strict I'd be very careful about integrating it since it has the potential to introduce regressions. > Content packages with invalid Long properties cause index definition > extraction to fail > --- > > Key: SLING-11240 > URL: https://issues.apache.org/jira/browse/SLING-11240 > Project: Sling > Issue Type: Bug > Components: Content-Package to Feature Model Converter >Affects Versions: Content-Package to Feature Model Converter 1.1.14 >Reporter: Robert Munteanu >Assignee: Robert Munteanu >Priority: Major > Fix For: Content-Package to Feature Model Converter 1.1.16 > > > Certain content packages contain invalid attribute definitions, such as > {noformat} > ... >boost="{Long}2.0" /> > ... > {noformat} > Although the intention is clear - a boot value of 2 - parsing fails > {noformat} > java.lang.NumberFormatException: For input string: "2.0" > at > java.base/java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) > at java.base/java.lang.Long.parseLong(Long.java:692) > at java.base/java.lang.Long.parseLong(Long.java:817) > at > org.apache.sling.feature.cpconverter.index.IndexDefinitionsJsonWriter.lambda$write$2(IndexDefinitionsJsonWriter.java:94) > at > org.apache.sling.feature.cpconverter.index.IndexDefinitionsJsonWriter.write(IndexDefinitionsJsonWriter.java:143) > at > org.apache.sling.feature.cpconverter.index.IndexDefinitionsJsonWriter.write(IndexDefinitionsJsonWriter.java:94) > at > org.apache.sling.feature.cpconverter.index.IndexDefinitionsJsonWriter.write(IndexDefinitionsJsonWriter.java:134) > at > org.apache.sling.feature.cpconverter.index.IndexDefinitionsJsonWriter.write(IndexDefinitionsJsonWriter.java:134) > at > org.apache.sling.feature.cpconverter.index.IndexDefinitionsJsonWriter.write(IndexDefinitionsJsonWriter.java:134) > at > org.apache.sling.feature.cpconverter.index.IndexDefinitionsJsonWriter.write(IndexDefinitionsJsonWriter.java:134) > at > org.apache.sling.feature.cpconverter.index.IndexDefinitionsJsonWriter.writeAsJson(IndexDefinitionsJsonWriter.java:69) > at > org.apache.sling.feature.cpconverter.index.DefaultIndexManager.addRepoinitExtension(DefaultIndexManager.java:38) > at > org.apache.sling.feature.cpconverter.ContentPackage2FeatureModelConverter.secondPass(ContentPackage2FeatureModelConverter.java:331) > at > org.apache.sling.feature.cpconverter.ContentPackage2FeatureModelConverter.convert(ContentPackage2FeatureModelConverter.java:266){noformat} -- This message was sent by Atlassian Jira (v8.20.1#820001)
Re: [VOTE] Release Apache Sling JSPC Maven Plugin 2.3.4
+1 > On 8 Apr 2022, at 17:35, Radu Cotescu wrote: > > Please vote to approve this release: > > [ ] +1 Approve the release > [ ] 0 Don't care > [ ] -1 Don't release, because ...
[GitHub] [sling-org-apache-sling-distribution-core] sonarcloud[bot] commented on pull request #44: SLING-8595 update to bundle-parent 40
sonarcloud[bot] commented on PR #44: URL: https://github.com/apache/sling-org-apache-sling-distribution-core/pull/44#issuecomment-1095090332 SonarCloud Quality Gate failed. [![Quality Gate failed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/failed-16px.png 'Quality Gate failed')](https://sonarcloud.io/dashboard?id=apache_sling-org-apache-sling-distribution-core=44) [![Bug](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/bug-16px.png 'Bug')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-distribution-core=44=false=BUG) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-distribution-core=44=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-distribution-core=44=false=BUG) [![Vulnerability](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/vulnerability-16px.png 'Vulnerability')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-distribution-core=44=false=VULNERABILITY) [![B](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/B-16px.png 'B')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-distribution-core=44=false=VULNERABILITY) [1 Vulnerability](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-distribution-core=44=false=VULNERABILITY) [![Security Hotspot](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/security_hotspot-16px.png 'Security Hotspot')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-distribution-core=44=false=SECURITY_HOTSPOT) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-distribution-core=44=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-distribution-core=44=false=SECURITY_HOTSPOT) [![Code Smell](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/code_smell-16px.png 'Code Smell')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-distribution-core=44=false=CODE_SMELL) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-distribution-core=44=false=CODE_SMELL) [91 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-distribution-core=44=false=CODE_SMELL) [![11.6%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/CoverageChart/0-16px.png '11.6%')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-distribution-core=44=new_coverage=list) [11.6% Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-distribution-core=44=new_coverage=list) [![12.8%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/Duplications/20-16px.png '12.8%')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-distribution-core=44=new_duplicated_lines_density=list) [12.8% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-distribution-core=44=new_duplicated_lines_density=list) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] dependabot[bot] commented on pull request #18: Bump commons-io from 2.6 to 2.7
dependabot[bot] commented on PR #18: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/18#issuecomment-1095070587 OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting `@dependabot ignore this major version` or `@dependabot ignore this minor version`. If you change your mind, just re-open this PR and I'll resolve any conflicts on it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] rombert commented on pull request #18: Bump commons-io from 2.6 to 2.7
rombert commented on PR #18: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/18#issuecomment-1095070495 https://cwiki.apache.org/confluence/display/SLING/Dependabot -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] rombert closed pull request #18: Bump commons-io from 2.6 to 2.7
rombert closed pull request #18: Bump commons-io from 2.6 to 2.7 URL: https://github.com/apache/sling-org-apache-sling-xss/pull/18 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-jspc-maven-plugin] rombert merged pull request #10: Bump commons-io from 2.5 to 2.7
rombert merged PR #10: URL: https://github.com/apache/sling-jspc-maven-plugin/pull/10 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [NOTICE] Dependabot Updates enabled for all projects
I tried to document the consensus around the discussion https://cwiki.apache.org/confluence/display/SLING/Dependabot It's a rough draft, feel free to update directly if you see areas that can be improved. I think we should neither outright accept nor outright reject dependabot PRs, but instead review each update. As an example, Maven plug-ins should get dependencies updated automatically. I am not sure that we can automate the triage well enough to satisfy the basic rules, so I suggest we work on the manual approach for now and see if it becomes too much effort. Thanks, Robert On Thu, 2022-04-07 at 10:11 -0700, Eric Norman wrote: > You can certainly (correctly) argue the technical details about how > we > often aren't affected by whatever vulnerability that dependabot is > warning > about, > > The problem is that the third-party security scanning tools aren't > going to > understand that nuance and you will have to keep explaining those > technical details every time someone runs some security scanning > tools > against those artifacts and complains about it. > > Updating the dependency to the non-vulnerable version can reduce that > noise > and usually not break compatibility. > > Also, if we start to ignore the dependabot warnings due to > assumptions, we > may miss something that is really a problem. > > Regards, > -Eric > > On Thu, Apr 7, 2022 at 2:51 AM Konrad Windszus > wrote: > > > I fully agree here. I don’t think dependabot can be controlled via > > .asf.yaml yet, so for now we need to disable manually per repo… > > > > > Am 07.04.2022 um 10:18 schrieb Stefan Seifert > > > > .invalid>: > > > > > > i agree with robert that probably for most of our modules > > > dependabot is > > not helpful (exceptions are the maven plugins and that part of > > sling > > starter which controls which bundles are really deployed at > > runtime). in > > our OSGi world, the dependency just defines the contract against > > which > > package/interface version we compile against. > > > > > > if possible it would be helpful to disable dependabot for the > > > majority > > of git repos to reduce noice, and avoid accidentally raising a > > dependency > > where it's not required to. > > > > > > stefan > > > > > > > > > > -Original Message- > > > > From: Eric Norman > > > > Sent: Wednesday, April 6, 2022 8:35 PM > > > > To: Sling Developers List > > > > Subject: Re: Fwd: [NOTICE] Dependabot Updates enabled for all > > > > projects > > > > > > > > Perhaps some analysis of whether bumping the dependency version > > > > changes > > the > > > > generated Import-Package instruction can provide some insight > > > > regarding > > the > > > > compatibility. If the new version of the dependency only has > > > > changes in > > > > packages that we are not directly using then it should be > > > > safeish to > > > > switch. > > > > > > > > I would also support changing our process to depend on the > > > > lowest > > possible > > > > version that doesn't have known vulnerabilities. Perhaps with > > > > some > > > > announcement if there are known compatibility issues. > > > > > > > > Regards, > > > > -Eric > > > >
[Jenkins] Sling » Modules » sling-org-apache-sling-launchpad-testing » master #1020 is FIXED
Please see https://ci-builds.apache.org/job/Sling/job/modules/job/sling-org-apache-sling-launchpad-testing/job/master/1020/ for details. No further emails will be sent until the status of the build is changed.
[GitHub] [sling-jspc-maven-plugin] sparsick commented on pull request #9: SLING-11253 - Files other than JAR on the classpath make the plugin throw a ZipException
sparsick commented on PR #9: URL: https://github.com/apache/sling-jspc-maven-plugin/pull/9#issuecomment-1094702076 @raducotescu Yes, it works for me. Thank you. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org