> BTW was there a particular fix in HttpClient 4.5.13 that you wanted? >
There is a CVE for HttpClient before 4.5.13 related to a malformed authority component https://mail-archives.apache.org/mod_mbox/hc-httpclient-users/202010.mbox/%3C4202d88eabd0ad2a0287243b281cad1bd2b9b141.camel%40apache.org%3E > Elsewhere [*], I have been through all the HTTP APIs in Jena, which have > lots of history, restructured them to update the style (e.g. > QueryExecutionHttp.Builder) > > > It's java11 use java.net.http which I found to be easy to use. It has > async support and internally it is truly async I/O inside. > > Andy > > [*] https://github.com/afs/jena-http > > > but hopefully this will make maintenance quite a lot easier going > forward. > > > > Aaron > > > > On Thu, Nov 12, 2020, 12:54 Andy Seaborne <[email protected]> wrote: > > > >> OK - I think it is tamed for now! > >> > >> A lot of updates, nothing serious showing up. The build became unstable > >> due to trying to do too much in one go but should now be green - it is > >> at TravisCI. > >> > >> Andy > >> > >> == Process > >> > >> dependabot is administered by the file > >> > >> <root>/.github/dependabot.yml > >> > >> Currently, set to run monthly. > >> > >> There is no other setting for on/off; if it is there, dependabot runs > >> > >> This is not all good; it runs for clones of the repo but they don't any > >> tidy and suppression of unwanted updates. > >> > >> The "schedule" is required otherwise it could be manual and run from GH > >> UI via "Insights" -> "Dependency Graph" -> "Dependabot". > >> > >> == This cycle > >> > >> There are a couple for major upgrades highlighted: > >> > >> * Lucene 7 -> 8 > >> * org.osgi.core 5.0.0 -> 6.0.0 > >> > >> (nothing done about them) > >> > >> Too near to a release for org.osgi.core and Lucene 7->8 is a major > >> decision and there is no rush that I'm aware of. > >> > >> * jena-elephas : Uses hadoop 2, guava 11 - I hope I've told the > >> dependabot to ignore these. > >> > >> It's the Guava bit that I'm unsure about as we have two different > >> dependencies. > >> > >> == Things that broke: > >> > >> GeoSPARQL > >> SIS 0.8 -> 1.0 : test failure > >> (left at 0.8, JENA-1996) > >> > >> jena-sdb : hsql v2 > >> Left at v1 > >> > >> == Notes > >> > >> 1/ > >> Derby 10.15.x.y requires java9, so updated only as far as 10.14.x.y and > >> then dependabot asked to ignore the minor version. > >> (used for testing by jena-sdb by jena-geosparql) > >> > >> 2/ > >> The updated shade plugin has some new warnings about overlapping files. > >> It looks safe, needs checking (and maybe there are shading transformers > >> to merge the files). > >> > >> > >> == Updates done > >> > >> HttpClient to 4.5.13 > >> commons-lang3 from 3.10 to 3.11 > >> guava 29-jre to 30-jre (shaded) > >> spatial4j from 0.6 to 0.7 > >> airline.version from 2.1.1 to 2.8.0 > >> jts-core from 1.16.1 to 1.17.1 > >> shiro from 1.5.1 to 1.7.0 > >> jackson from 2.10.1 to 2.11.3 > >> commons-codec 1.14 to 1.15 > >> commons-io from 2.6 to 2.8.0 > >> micrometer from 1.5.5 to 1.6.1 > >> jcommander from 1.72 to 1.78 > >> > >> and plugins. > >> > >> Andy > >> > > >
