If the dependency is not exposed by the public API then another alternative is to simply shade the artifact and then this becomes a non-issue for users.
Considering Ignite is a platform that executes user code via compute and service grid I personally think it would be good to minimize the number of dependencies that can potentially conflict with user code. -Nick On Sun, Aug 20, 2017, 11:51 AM Valentin Kulichenko < valentin.kuliche...@gmail.com> wrote: > Guys, > > Keep in mind that some projects can use *older* version of third-party > libraries as well, and dependency upgrade can break them. In other words, > dependency upgrade is in many cases an incompatible change for us, so we > should do this with care. > > Unless there is a specific reason to upgrade a specific dependency, I think > it's better to postpone it until major version. > > -Val > > On Sun, Aug 20, 2017 at 5:04 AM 李玉珏@163 <18624049...@163.com> wrote: > > > If the third party library is incompatible with the new version and the > > old version (such as lucene3.5.0-5.5.2), and the dependent version of > > Ignite is older, it may cause conflicts in the user's system. > > For such scenarios, I think that updating third-party dependencies's > > major version is valuable. > > > > > > 在 2017/8/17 上午8:26, Denis Magda 写道: > > > I would respond why do we need to update? Some bug, new capabilities, > > security breach? Alexey K., please shed some light on this. > > > > > > — > > > Denis > > > > > >> On Aug 16, 2017, at 5:12 PM, Dmitriy Setrakyan <dsetrak...@apache.org > > > > wrote: > > >> > > >> On Wed, Aug 16, 2017 at 5:02 PM, Denis Magda <dma...@apache.org> > wrote: > > >> > > >>> Honestly, I wouldn’t touch a dependency if it works like a charm and > > >>> nobody requested us to migrate to a new version. > > >>> > > >>> Why do you need to update Apache Common coded? > > >>> > > >> Not sure I agree. Why not update it? > > >> > > >> > > >>> > > >>> — > > >>> Denis > > >>> > > >>>> On Aug 16, 2017, at 10:36 AM, Alexey Kuznetsov < > akuznet...@apache.org > > > > > >>> wrote: > > >>>> Done > > >>>> > > >>>> https://issues.apache.org/jira/browse/IGNITE-6090 > > >>>> > > >>>> On Wed, Aug 16, 2017 at 8:01 PM, Dmitriy Setrakyan < > > >>> dsetrak...@apache.org> > > >>>> wrote: > > >>>> > > >>>>> The answer is Yes, we should update. Jira ticket assigned to the > next > > >>>>> release should be enough in my view. > > >>>>> > > >>>>> D. > > >>>>> > > >>>>> On Wed, Aug 16, 2017 at 2:38 AM, Alexey Kuznetsov < > > >>> akuznet...@apache.org> > > >>>>> wrote: > > >>>>> > > >>>>>> Hi, All! > > >>>>>> > > >>>>>> Do we have any policy for updating third-party dependencies? > > >>>>>> > > >>>>>> For example, I found that we are using very old Apache Common > codec > > >>>>> v.1.6 > > >>>>>> (released in 2011) > > >>>>>> And latest is Apache Common codec v.1.10 > > >>>>>> > > >>>>>> Do we need to update to new versions from time to time? > > >>>>>> And how? > > >>>>>> > > >>>>>> Just create JIRA issue, update pom.xml and run all tests on TC - > > will > > >>> be > > >>>>>> enough? > > >>>>>> > > >>>>>> -- > > >>>>>> Alexey Kuznetsov > > >>>>>> > > >>>> > > >>>> > > >>>> -- > > >>>> Alexey Kuznetsov > > >>> > > > > > > >
