We won't be changing this for the release. I, personally, do not understand the use of strict dependency convergence checks. If you have a few dependencies and those dependencies have common transitive dependencies - you are almost guaranteed to have a convergence issue. Why should these tools not be intelligent enough to spot that log4j 2.24.2 and 2.24.3 differ only at the patch level (semantic versioning)? For me, strict dependency convergence checks are a very poor substitute for users running acceptance tests when they want to change the versions of their dependencies. You should also strongly consider adding more dependencies in your builds so that you control the version of the jars explicitly instead of relying on the versions in your transitive dependencies. This would also make your dependency convergence checks happy.
On 2025/01/08 14:47:10 Joep Weijers wrote: > Hi all, > Great to hear that 5.4.0 is almost released! I tested the version out and did > notice the following dependency convergence issue on > org.apache.logging.log4j:log4j-api: > (Small Maven quickstart archetype pom with a dependency on poi-ooxml 5.4.0, > running `mvn dependency:tree -Dverbose > -Dincludes=org.apache.logging.log4j:log4j-api`) > [INFO] --- dependency:3.6.1:tree (default-cli) @ test-poi-ooxml --- > [INFO] com.topdesk.test:test-poi-ooxml:jar:1.0-SNAPSHOT > [INFO] \- org.apache.poi:poi-ooxml:jar:5.4.0:compile > [INFO] +- org.apache.poi:poi:jar:5.4.0:compile > [INFO] | \- (org.apache.logging.log4j:log4j-api:jar:2.24.3:compile - > omitted for duplicate) > [INFO] +- org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > [INFO] | \- (org.apache.logging.log4j:log4j-api:jar:2.24.2:compile - > omitted for conflict with 2.24.3) > [INFO] \- org.apache.logging.log4j:log4j-api:jar:2.24.3:compile > Not sure if you’d like to address this before release, but this would make > our build with the dependencyConvergence rule enabled in the Maven enforcer > plugin unhappy. For now I have fixed it by excluding the log4j-api dependency > from poi-ooxml. > Kind regards, > Joep Weijers > > On 2025/01/07 19:27:58 Tim Allison wrote: > > +1 > > > > Apologies for my delay. Looks good. > > > > Confirmed src.tgz digest > > Built locally and ran tests > > Integrated with Tika's main branch. > > > > Thank you PJ, Dominik and team! > > > > P.S. I did notice some convergence issues. I don't think these are a > > showstopper...not clear if we should fix these in XMLBeans or let > > downstream users fix them in the next release. > > > > [ERROR] Dependency convergence error for > > org.codehaus.plexus:plexus-utils:jar:3.5.1 paths to dependency are: > > [ERROR] +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > [ERROR] +-org.apache.maven:maven-settings:jar:3.9.9:runtime > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > [ERROR] and > > [ERROR] +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > [ERROR] +-org.apache.maven:maven-settings-builder:jar:3.9.9:runtime > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > [ERROR] and > > [ERROR] +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > [ERROR] +-org.apache.maven:maven-settings-builder:jar:3.9.9:runtime > > [ERROR] > > +-org.codehaus.plexus:plexus-sec-dispatcher:jar:2.0:runtime > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.4.1:runtime > > [ERROR] and > > [ERROR] +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > [ERROR] > > +-org.apache.maven:maven-repository-metadata:jar:3.9.9:runtime > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > [ERROR] and > > [ERROR] +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > [ERROR] +-org.apache.maven:maven-artifact:jar:3.9.9:runtime > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > [ERROR] and > > [ERROR] +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > [ERROR] +-org.apache.maven:maven-resolver-provider:jar:3.9.9:runtime > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > [ERROR] and > > [ERROR] +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > [ERROR] > > +-org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.9.0.M3:runtime > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > [ERROR] and > > [ERROR] +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > [ERROR] and > > [ERROR] +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > [ERROR] +-org.apache.maven:maven-model:jar:3.9.9:runtime > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > [ERROR] and > > [ERROR] +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > [ERROR] +-org.apache.maven:maven-plugin-api:jar:3.9.9:runtime > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > [ERROR] > > [ERROR] > > [ERROR] Dependency convergence error for > > org.codehaus.plexus:plexus-classworlds:jar:2.6.0 paths to dependency are: > > [ERROR] +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > [ERROR] > > +-org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.9.0.M3:runtime > > [ERROR] +-org.codehaus.plexus:plexus-classworlds:jar:2.6.0:runtime > > [ERROR] and > > [ERROR] +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > [ERROR] +-org.codehaus.plexus:plexus-classworlds:jar:2.8.0:runtime > > [ERROR] and > > [ERROR] +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > [ERROR] +-org.apache.maven:maven-plugin-api:jar:3.9.9:runtime > > [ERROR] +-org.codehaus.plexus:plexus-classworlds:jar:2.8.0:runtime > > > > > > On Mon, Jan 6, 2025 at 4:56 PM PJ Fanning <fa...@apache.org> wrote: > > > > > We need at least 1 more review from a POI PMC member before we can > > > proceed. If anyone has time, it would be much appreciated. > > > > > > > > > On 2025/01/02 13:29:43 Dominik Stadler wrote: > > > > Hi, > > > > > > > > I tested the staged binaries with various projects and reviewed contents > > > of > > > > the source-distribution. Also compilation from source did work. So > > > > everything fine as far as I see. > > > > > > > > I vote +1 for release! > > > > > > > > Thanks PJ for preparing the release! Dominik. > > > > > > > > On Sun, Dec 29, 2024 at 8:19 PM PJ Fanning <fa...@yahoo.com.invalid> > > > > wrote: > > > > > > > > > Hello POI Community, > > > > > > > > > > This is a call for a vote to release Apache POI version 5.4.0 (RC2). > > > > > > > > > > The discussion thread: > > > > > https://lists.apache.org/thread/4sd7p5z2cxp0l9wb2orw4n0gc9w348gw > > > > > > > > > > The release candidate: > > > > > https://dist.apache.org/repos/dist/dev/poi/5.4.0-RC2/ > > > > > > > > > > > > > > > This release has been signed with a PGP key available here: > > > > > https://downloads.apache.org/poi/KEYS > > > > > > > > > > Release Notes: > > > > > https://dist.apache.org/repos/dist/dev/poi/RELEASE-NOTES-5.4.0.txt > > > > > > > > > > I will add the svn tag REL_5_4_0 if the vote passes. > > > > > > > > > > Svn commit ID: https://svn.apache.org/repos/asf/poi/trunk@1922754 > > > > > > > > > > Please download, verify, and test. > > > > > > > > > > > > > > > We have also staged jars in the Apache Nexus Repository. > > > > > These were built with the same code as appears in this Source Release > > > > > Candidate. > > > > > We would appreciate if users could test with these too. > > > > > > > > > > If anyone finds any serious problems with these jars, please also > > > notify > > > > > us on this thread. > > > > > > > > > > https://repository.apache.org/content/groups/staging/org/apache/poi/ > > > > > > > > > > In gradle, you can add this repository. > > > > > > > > > > maven { > > > > > url "https://repository.apache.org/content/groups/staging/"; > > > > > } > > > > > > > > > > > > > > > The VOTE will pass if we have more positive votes than negative votes > > > > > and there must be a minimum of 3 approvals from POI PMC members. > > > > > > > > > > I will leave the vote open for at least a week. > > > > > > > > > > [ ] +1 approve > > > > > [ ] +0 no opinion > > > > > [ ] -1 disapprove with the reason > > > > > > > > > > To learn more about Apache POI, please see https://poi.apache.org/ > > > > > > > > > > > > > > > Checklist for reference: > > > > > [ ] Download links are valid. > > > > > [ ] Checksums and signatures. > > > > > [ ] LICENSE/NOTICE files exist > > > > > [ ] No unexpected binary files > > > > > [ ] Source files have ASF headers > > > > > [ ] Can compile from source > > > > > > > > > > To compile from the source, please refer to: > > > > > https://poi.apache.org/devel/index.html > > > > > > > > > > Some notes about verifying downloads can be found at: > > > > > https://poi.apache.org/download.html > > > > > > > > > > Here is my +1 (binding). > > > > > > > > > > Thanks, > > > > > PJ Fanning (Apache POI PMC member) > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > > > > > For additional commands, e-mail: dev-h...@poi.apache.org > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > > > For additional commands, e-mail: dev-h...@poi.apache.org > > > > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
