* Agreed on servlet API. * Cassandra does need to be upgraded to at least 3.x, though there's also 4.x out now with a slightly different API which might make sense as a separate module from Cassandra 3.x support * Felix can likely be bumped to something more recent. We could potentially update the OSGi dependency, too, to match this, but not as big a deal. * There are multiple OSGi Maven plugins; it's possible that the one we're using has fallen out of favor. I remember https://bndtools.org being one of the sort of canonical OSGi build tools project, and there's a Maven plugin for it.
On Mon, Apr 25, 2022 at 2:20 PM Piotr P. Karwasz <[email protected]> wrote: > > Hello, > > Dependabot has reached the maximum number of PRs allowed by its > configuration, so I believe it is spring cleaning time. > > Some actions are no brainers: > > * `javax.servlet-api` (https://github.com/apache/logging-log4j2/pull/803) > should stay at 3.0, since we don't use features from higher version, > * `cassandra-all` 2.2.8 (https://github.com/apache/logging-log4j2/pull/817) > is unsupported and has 2 vulnerabilities. We should switch to 3.0.26, > although this requires some code changes. Do we need to do it before 2.18.0? > > Other 'bumps' require IMHO some discussion: > > * `org.apache.felix.framework` is used only for testing. Should we switch > to a newer version? > * `maven-bundle-plugin`: documentation seems to be stuck at 4.2.1, while > the implementation reached 5.1.4. Do we need to upgrade? > > Piotr
