Hi, To be honest, I also don't see too much value in applying such checks. There will always be failures as soon as larger dependencies are added to a project and it is nearly impossible to avoid it while at the same time keeping dependencies up-to-date for fixing security issues.
Dominik. On Wed, Jan 8, 2025 at 4:09 PM PJ Fanning <fannin...@apache.org> wrote: > We won't be changing this for the release. > I, personally, do not understand the use of strict dependency convergence > checks. If you have a few dependencies and those dependencies have common > transitive dependencies - you are almost guaranteed to have a convergence > issue. > Why should these tools not be intelligent enough to spot that log4j 2.24.2 > and 2.24.3 differ only at the patch level (semantic versioning)? > For me, strict dependency convergence checks are a very poor substitute > for users running acceptance tests when they want to change the versions of > their dependencies. > You should also strongly consider adding more dependencies in your builds > so that you control the version of the jars explicitly instead of relying > on the versions in your transitive dependencies. This would also make your > dependency convergence checks happy. > > > > On 2025/01/08 14:47:10 Joep Weijers wrote: > > Hi all, > > Great to hear that 5.4.0 is almost released! I tested the version out > and did notice the following dependency convergence issue on > org.apache.logging.log4j:log4j-api: > > (Small Maven quickstart archetype pom with a dependency on poi-ooxml > 5.4.0, running `mvn dependency:tree -Dverbose > -Dincludes=org.apache.logging.log4j:log4j-api`) > > [INFO] --- dependency:3.6.1:tree (default-cli) @ test-poi-ooxml --- > > [INFO] com.topdesk.test:test-poi-ooxml:jar:1.0-SNAPSHOT > > [INFO] \- org.apache.poi:poi-ooxml:jar:5.4.0:compile > > [INFO] +- org.apache.poi:poi:jar:5.4.0:compile > > [INFO] | \- (org.apache.logging.log4j:log4j-api:jar:2.24.3:compile - > omitted for duplicate) > > [INFO] +- org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > [INFO] | \- (org.apache.logging.log4j:log4j-api:jar:2.24.2:compile - > omitted for conflict with 2.24.3) > > [INFO] \- org.apache.logging.log4j:log4j-api:jar:2.24.3:compile > > Not sure if you’d like to address this before release, but this would > make our build with the dependencyConvergence rule enabled in the Maven > enforcer plugin unhappy. For now I have fixed it by excluding the log4j-api > dependency from poi-ooxml. > > Kind regards, > > Joep Weijers > > > > On 2025/01/07 19:27:58 Tim Allison wrote: > > > +1 > > > > > > Apologies for my delay. Looks good. > > > > > > Confirmed src.tgz digest > > > Built locally and ran tests > > > Integrated with Tika's main branch. > > > > > > Thank you PJ, Dominik and team! > > > > > > P.S. I did notice some convergence issues. I don't think these are a > > > showstopper...not clear if we should fix these in XMLBeans or let > > > downstream users fix them in the next release. > > > > > > [ERROR] Dependency convergence error for > > > org.codehaus.plexus:plexus-utils:jar:3.5.1 paths to dependency are: > > > [ERROR] > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > > [ERROR] +-org.apache.maven:maven-settings:jar:3.9.9:runtime > > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > > [ERROR] and > > > [ERROR] > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > > [ERROR] > +-org.apache.maven:maven-settings-builder:jar:3.9.9:runtime > > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > > [ERROR] and > > > [ERROR] > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > > [ERROR] > +-org.apache.maven:maven-settings-builder:jar:3.9.9:runtime > > > [ERROR] > > > +-org.codehaus.plexus:plexus-sec-dispatcher:jar:2.0:runtime > > > [ERROR] > +-org.codehaus.plexus:plexus-utils:jar:3.4.1:runtime > > > [ERROR] and > > > [ERROR] > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > > [ERROR] > > > +-org.apache.maven:maven-repository-metadata:jar:3.9.9:runtime > > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > > [ERROR] and > > > [ERROR] > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > > [ERROR] +-org.apache.maven:maven-artifact:jar:3.9.9:runtime > > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > > [ERROR] and > > > [ERROR] > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > > [ERROR] > +-org.apache.maven:maven-resolver-provider:jar:3.9.9:runtime > > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > > [ERROR] and > > > [ERROR] > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > > [ERROR] > > > +-org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.9.0.M3:runtime > > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > > [ERROR] and > > > [ERROR] > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > > [ERROR] and > > > [ERROR] > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > > [ERROR] +-org.apache.maven:maven-model:jar:3.9.9:runtime > > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > > [ERROR] and > > > [ERROR] > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > > [ERROR] +-org.apache.maven:maven-plugin-api:jar:3.9.9:runtime > > > [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > > [ERROR] > > > [ERROR] > > > [ERROR] Dependency convergence error for > > > org.codehaus.plexus:plexus-classworlds:jar:2.6.0 paths to dependency > are: > > > [ERROR] > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > > [ERROR] > > > +-org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.9.0.M3:runtime > > > [ERROR] > +-org.codehaus.plexus:plexus-classworlds:jar:2.6.0:runtime > > > [ERROR] and > > > [ERROR] > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > > [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > > [ERROR] > +-org.codehaus.plexus:plexus-classworlds:jar:2.8.0:runtime > > > [ERROR] and > > > [ERROR] > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > > [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > > [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > > [ERROR] +-org.apache.maven:maven-plugin-api:jar:3.9.9:runtime > > > [ERROR] > +-org.codehaus.plexus:plexus-classworlds:jar:2.8.0:runtime > > > > > > > > > On Mon, Jan 6, 2025 at 4:56 PM PJ Fanning <fa...@apache.org> wrote: > > > > > > > We need at least 1 more review from a POI PMC member before we can > > > > proceed. If anyone has time, it would be much appreciated. > > > > > > > > > > > > On 2025/01/02 13:29:43 Dominik Stadler wrote: > > > > > Hi, > > > > > > > > > > I tested the staged binaries with various projects and reviewed > contents > > > > of > > > > > the source-distribution. Also compilation from source did work. So > > > > > everything fine as far as I see. > > > > > > > > > > I vote +1 for release! > > > > > > > > > > Thanks PJ for preparing the release! Dominik. > > > > > > > > > > On Sun, Dec 29, 2024 at 8:19 PM PJ Fanning <fa...@yahoo.com.invalid > > > > > > > wrote: > > > > > > > > > > > Hello POI Community, > > > > > > > > > > > > This is a call for a vote to release Apache POI version 5.4.0 > (RC2). > > > > > > > > > > > > The discussion thread: > > > > > > https://lists.apache.org/thread/4sd7p5z2cxp0l9wb2orw4n0gc9w348gw > > > > > > > > > > > > The release candidate: > > > > > > https://dist.apache.org/repos/dist/dev/poi/5.4.0-RC2/ > > > > > > > > > > > > > > > > > > This release has been signed with a PGP key available here: > > > > > > https://downloads.apache.org/poi/KEYS > > > > > > > > > > > > Release Notes: > > > > > > > https://dist.apache.org/repos/dist/dev/poi/RELEASE-NOTES-5.4.0.txt > > > > > > > > > > > > I will add the svn tag REL_5_4_0 if the vote passes. > > > > > > > > > > > > Svn commit ID: > https://svn.apache.org/repos/asf/poi/trunk@1922754 > > > > > > > > > > > > Please download, verify, and test. > > > > > > > > > > > > > > > > > > We have also staged jars in the Apache Nexus Repository. > > > > > > These were built with the same code as appears in this Source > Release > > > > > > Candidate. > > > > > > We would appreciate if users could test with these too. > > > > > > > > > > > > If anyone finds any serious problems with these jars, please also > > > > notify > > > > > > us on this thread. > > > > > > > > > > > > > https://repository.apache.org/content/groups/staging/org/apache/poi/ > > > > > > > > > > > > In gradle, you can add this repository. > > > > > > > > > > > > maven { > > > > > > url "https://repository.apache.org/content/groups/staging/"; > > > > > > } > > > > > > > > > > > > > > > > > > The VOTE will pass if we have more positive votes than negative > votes > > > > > > and there must be a minimum of 3 approvals from POI PMC members. > > > > > > > > > > > > I will leave the vote open for at least a week. > > > > > > > > > > > > [ ] +1 approve > > > > > > [ ] +0 no opinion > > > > > > [ ] -1 disapprove with the reason > > > > > > > > > > > > To learn more about Apache POI, please see > https://poi.apache.org/ > > > > > > > > > > > > > > > > > > Checklist for reference: > > > > > > [ ] Download links are valid. > > > > > > [ ] Checksums and signatures. > > > > > > [ ] LICENSE/NOTICE files exist > > > > > > [ ] No unexpected binary files > > > > > > [ ] Source files have ASF headers > > > > > > [ ] Can compile from source > > > > > > > > > > > > To compile from the source, please refer to: > > > > > > https://poi.apache.org/devel/index.html > > > > > > > > > > > > Some notes about verifying downloads can be found at: > > > > > > https://poi.apache.org/download.html > > > > > > > > > > > > Here is my +1 (binding). > > > > > > > > > > > > Thanks, > > > > > > PJ Fanning (Apache POI PMC member) > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > > > > > > For additional commands, e-mail: dev-h...@poi.apache.org > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > > > > For additional commands, e-mail: dev-h...@poi.apache.org > > > > > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > For additional commands, e-mail: dev-h...@poi.apache.org > >
