aruraghuwanshi opened a new pull request, #19002:
URL: https://github.com/apache/druid/pull/19002
Fixes #18998.
### Description
PR #18990 introduced the `requireUpperBoundDeps` enforcer rule to catch
transitive dependency version inconsistencies. However, it needed **38
exclusions** to pass, since many libraries pull in conflicting transitive
versions. This PR shrinks that list from **38 down to 18** by bumping
dependency versions to satisfy the upper bound constraints.
#### Bumped dependency versions
The following dependencies were bumped to the highest version required by
their transitive dependency tree. All bumps are patch or minor version
increments with no expected API breakages:
| Dependency | Old | New |
|---|---|---|
| Netty 4 | 4.2.6.Final | 4.2.7.Final |
| Error Prone annotations | 2.35.1 | 2.36.0 |
| Caffeine | 2.8.0 | 2.9.3 |
| Scala library | 2.13.14 | 2.13.16 |
| Google HTTP Client | 1.42.3 | 1.43.3 |
| Commons IO | 2.17.0 | 2.21.0 |
| Commons Compress | 1.27.0 | 1.28.0 |
| Commons Collections4 | 4.2 | 4.4 |
| Commons Codec | 1.17.1 | 1.19.0 |
| Bouncy Castle (bcpkix) | 1.81 | 1.82 |
| Zstd JNI | 1.5.2-3 | 1.5.6-6 |
| HttpClient 4.x | 4.5.13 | 4.5.14 |
#### Added new managed dependencies
These transitive dependencies were not previously managed in the root POM,
causing version conflicts. Adding them to `dependencyManagement` centralizes
version control and removes the need for exclusions:
- `kotlin-stdlib-jdk8` (1.9.25) — aligns with existing `kotlin-stdlib`
- `proto-google-common-protos` (2.48.0) — version moved from
`indexing-service/pom.xml`
- `jakarta.activation-api` (1.2.2) — fixes conflict between docker-java and
jetty
- `httpclient5` (5.5.1) — version moved from `embedded-tests/pom.xml`
- `httpcore5` (5.3.6) — required by `httpclient5` 5.5.1
#### Child POM cleanup
Removed hardcoded versions from child modules that are now centrally managed:
- `indexing-service/pom.xml`: `proto-google-common-protos` version removed
- `embedded-tests/pom.xml`: `httpclient5` version removed
#### Remaining exclusions
The 18 remaining exclusions all require **major version bumps** or involve
complex dependency trees that need separate, focused work:
- **Jackson 2.20.x** — needed by docker-java 3.7.0 and fabric8
- **Guava 33.x** — needed by google-cloud libraries
- **Guice 7.0.0** — needed by fabric8
- **Zookeeper 3.9.x** — needed by Curator 5.8.0
- **Jedis 7.0.0** — needed by jedis-mock
- **RoaringBitmap 1.2.0**, **Aircompressor 2.0.2**, **OkIO 3.x** — major
version jumps
- **Jakarta Activation 2.x** — Jakarta EE 9 namespace migration
- **Reflections 0.10.2** — API breaking changes
- **Confluent stack** (snakeyaml, kafka-clients,
kafka-schema-registry-client) — Confluent-specific versioning
Each remaining exclusion is documented inline with a comment explaining why
it is still needed.
#### Release note
Upgraded multiple transitive dependency versions (Netty, Commons IO, Commons
Compress, Caffeine, Bouncy Castle, and others) and reduced the number of
`requireUpperBoundDeps` enforcer exclusions from 38 to 18. No user-facing
behavior changes.
<hr>
##### Key changed/added classes in this PR
* `pom.xml` — version bumps, new managed dependencies, reduced enforcer
exclusions
* `indexing-service/pom.xml` — removed hardcoded
`proto-google-common-protos` version
* `embedded-tests/pom.xml` — removed hardcoded `httpclient5` version
<hr>
This PR has:
- [x] been self-reviewed.
- [x] added comments explaining the "why" and the intent of the code
wherever would not be obvious for an unfamiliar reader.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
