convergence issues

Wed, 08 Jan 2025 11:13:35 -0800 

Thank you, all. I'm sorry for the noise.

As you all point out, these are not a POI or even XMLBeans issue, and
provided should be, ahem, provided.

We added convergence checks in Tika after an irate downstream user
complained. On Tika, we "fix" the convergence problems by specifying the
most recent version in the dependencyManagement section of our parent pom.
This relies on the hope of backward compatibility for the more recent
version for a conflict, and it also relies on unit tests and large scale
regression testing (along the lines of what PJ (or was it Dominik?)
suggested).

Again, many thanks!

Cheers,

       Tim

On Wed, Jan 8, 2025 at 12:41 PM Dominik Stadler
<dominik.stad...@gmx.at.invalid> wrote:

> Hi,
>
> To be honest, I also don't see too much value in applying such checks.
> There will always be failures as soon as larger dependencies are added to a
> project and it is nearly impossible to avoid it while at the same time
> keeping dependencies up-to-date for fixing security issues.
>
> Dominik.
>
>
> On Wed, Jan 8, 2025 at 4:09 PM PJ Fanning <fannin...@apache.org> wrote:
>
> > We won't be changing this for the release.
> > I, personally, do not understand the use of strict dependency convergence
> > checks. If you have a few dependencies and those dependencies have common
> > transitive dependencies - you are almost guaranteed to have a convergence
> > issue.
> > Why should these tools not be intelligent enough to spot that log4j
> 2.24.2
> > and 2.24.3 differ only at the patch level (semantic versioning)?
> > For me, strict dependency convergence checks are a very poor substitute
> > for users running acceptance tests when they want to change the versions
> of
> > their dependencies.
> > You should also strongly consider adding more dependencies in your builds
> > so that you control the version of the jars explicitly instead of relying
> > on the versions in your transitive dependencies. This would also make
> your
> > dependency convergence checks happy.
> >
> >
> >
> > On 2025/01/08 14:47:10 Joep Weijers wrote:
> > > Hi all,
> > > Great to hear that 5.4.0 is almost released! I tested the version out
> > and did notice the following dependency convergence issue on
> > org.apache.logging.log4j:log4j-api:
> > > (Small Maven quickstart archetype pom with a dependency on poi-ooxml
> > 5.4.0, running `mvn dependency:tree -Dverbose
> > -Dincludes=org.apache.logging.log4j:log4j-api`)
> > > [INFO] --- dependency:3.6.1:tree (default-cli) @ test-poi-ooxml ---
> > > [INFO] com.topdesk.test:test-poi-ooxml:jar:1.0-SNAPSHOT
> > > [INFO] \- org.apache.poi:poi-ooxml:jar:5.4.0:compile
> > > [INFO]    +- org.apache.poi:poi:jar:5.4.0:compile
> > > [INFO]    |  \- (org.apache.logging.log4j:log4j-api:jar:2.24.3:compile
> -
> > omitted for duplicate)
> > > [INFO]    +- org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
> > > [INFO]    |  \- (org.apache.logging.log4j:log4j-api:jar:2.24.2:compile
> -
> > omitted for conflict with 2.24.3)
> > > [INFO]    \- org.apache.logging.log4j:log4j-api:jar:2.24.3:compile
> > > Not sure if you’d like to address this before release, but this would
> > make our build with the dependencyConvergence rule enabled in the Maven
> > enforcer plugin unhappy. For now I have fixed it by excluding the
> log4j-api
> > dependency from poi-ooxml.
> > > Kind regards,
> > > Joep Weijers
> > >
> > > On 2025/01/07 19:27:58 Tim Allison wrote:
> > > > +1
> > > >
> > > > Apologies for my delay. Looks good.
> > > >
> > > > Confirmed src.tgz digest
> > > > Built locally and ran tests
> > > > Integrated with Tika's main branch.
> > > >
> > > > Thank you PJ, Dominik and team!
> > > >
> > > > P.S. I did notice some convergence issues. I don't think these are a
> > > > showstopper...not clear if we should fix these in XMLBeans or let
> > > > downstream users fix them in the next release.
> > > >
> > > > [ERROR] Dependency convergence error for
> > > > org.codehaus.plexus:plexus-utils:jar:3.5.1 paths to dependency are:
> > > > [ERROR]
> > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
> > > > [ERROR]   +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
> > > > [ERROR]     +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
> > > > [ERROR]       +-org.apache.maven:maven-core:jar:3.9.9:runtime
> > > > [ERROR]         +-org.apache.maven:maven-settings:jar:3.9.9:runtime
> > > > [ERROR]
>  +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime
> > > > [ERROR] and
> > > > [ERROR]
> > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
> > > > [ERROR]   +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
> > > > [ERROR]     +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
> > > > [ERROR]       +-org.apache.maven:maven-core:jar:3.9.9:runtime
> > > > [ERROR]
> >  +-org.apache.maven:maven-settings-builder:jar:3.9.9:runtime
> > > > [ERROR]
>  +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime
> > > > [ERROR] and
> > > > [ERROR]
> > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
> > > > [ERROR]   +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
> > > > [ERROR]     +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
> > > > [ERROR]       +-org.apache.maven:maven-core:jar:3.9.9:runtime
> > > > [ERROR]
> >  +-org.apache.maven:maven-settings-builder:jar:3.9.9:runtime
> > > > [ERROR]
> > > > +-org.codehaus.plexus:plexus-sec-dispatcher:jar:2.0:runtime
> > > > [ERROR]
> >  +-org.codehaus.plexus:plexus-utils:jar:3.4.1:runtime
> > > > [ERROR] and
> > > > [ERROR]
> > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
> > > > [ERROR]   +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
> > > > [ERROR]     +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
> > > > [ERROR]       +-org.apache.maven:maven-core:jar:3.9.9:runtime
> > > > [ERROR]
> > > > +-org.apache.maven:maven-repository-metadata:jar:3.9.9:runtime
> > > > [ERROR]
>  +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime
> > > > [ERROR] and
> > > > [ERROR]
> > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
> > > > [ERROR]   +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
> > > > [ERROR]     +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
> > > > [ERROR]       +-org.apache.maven:maven-core:jar:3.9.9:runtime
> > > > [ERROR]         +-org.apache.maven:maven-artifact:jar:3.9.9:runtime
> > > > [ERROR]
>  +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime
> > > > [ERROR] and
> > > > [ERROR]
> > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
> > > > [ERROR]   +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
> > > > [ERROR]     +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
> > > > [ERROR]       +-org.apache.maven:maven-core:jar:3.9.9:runtime
> > > > [ERROR]
> >  +-org.apache.maven:maven-resolver-provider:jar:3.9.9:runtime
> > > > [ERROR]
>  +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime
> > > > [ERROR] and
> > > > [ERROR]
> > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
> > > > [ERROR]   +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
> > > > [ERROR]     +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
> > > > [ERROR]       +-org.apache.maven:maven-core:jar:3.9.9:runtime
> > > > [ERROR]
> > > > +-org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.9.0.M3:runtime
> > > > [ERROR]
>  +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime
> > > > [ERROR] and
> > > > [ERROR]
> > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
> > > > [ERROR]   +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
> > > > [ERROR]     +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
> > > > [ERROR]       +-org.apache.maven:maven-core:jar:3.9.9:runtime
> > > > [ERROR]         +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime
> > > > [ERROR] and
> > > > [ERROR]
> > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
> > > > [ERROR]   +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
> > > > [ERROR]     +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
> > > > [ERROR]       +-org.apache.maven:maven-model:jar:3.9.9:runtime
> > > > [ERROR]         +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime
> > > > [ERROR] and
> > > > [ERROR]
> > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
> > > > [ERROR]   +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
> > > > [ERROR]     +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
> > > > [ERROR]       +-org.apache.maven:maven-plugin-api:jar:3.9.9:runtime
> > > > [ERROR]         +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime
> > > > [ERROR]
> > > > [ERROR]
> > > > [ERROR] Dependency convergence error for
> > > > org.codehaus.plexus:plexus-classworlds:jar:2.6.0 paths to dependency
> > are:
> > > > [ERROR]
> > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
> > > > [ERROR]   +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
> > > > [ERROR]     +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
> > > > [ERROR]       +-org.apache.maven:maven-core:jar:3.9.9:runtime
> > > > [ERROR]
> > > > +-org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.9.0.M3:runtime
> > > > [ERROR]
> >  +-org.codehaus.plexus:plexus-classworlds:jar:2.6.0:runtime
> > > > [ERROR] and
> > > > [ERROR]
> > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
> > > > [ERROR]   +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
> > > > [ERROR]     +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
> > > > [ERROR]       +-org.apache.maven:maven-core:jar:3.9.9:runtime
> > > > [ERROR]
> >  +-org.codehaus.plexus:plexus-classworlds:jar:2.8.0:runtime
> > > > [ERROR] and
> > > > [ERROR]
> > +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
> > > > [ERROR]   +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
> > > > [ERROR]     +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
> > > > [ERROR]       +-org.apache.maven:maven-plugin-api:jar:3.9.9:runtime
> > > > [ERROR]
> >  +-org.codehaus.plexus:plexus-classworlds:jar:2.8.0:runtime
> > > >
> > > >
> > > > On Mon, Jan 6, 2025 at 4:56 PM PJ Fanning <fa...@apache.org> wrote:
> > > >
> > > > > We need at least 1 more review from a POI PMC member before we can
> > > > > proceed. If anyone has time, it would be much appreciated.
> > > > >
> > > > >
> > > > > On 2025/01/02 13:29:43 Dominik Stadler wrote:
> > > > > > Hi,
> > > > > >
> > > > > > I tested the staged binaries with various projects and reviewed
> > contents
> > > > > of
> > > > > > the source-distribution. Also compilation from source did work.
> So
> > > > > > everything fine as far as I see.
> > > > > >
> > > > > > I vote +1 for release!
> > > > > >
> > > > > > Thanks PJ for preparing the release! Dominik.
> > > > > >
> > > > > > On Sun, Dec 29, 2024 at 8:19 PM PJ Fanning
> <fa...@yahoo.com.invalid
> > >
> > > > > > wrote:
> > > > > >
> > > > > > > Hello POI Community,
> > > > > > >
> > > > > > > This is a call for a vote to release Apache POI version 5.4.0
> > (RC2).
> > > > > > >
> > > > > > > The discussion thread:
> > > > > > >
> https://lists.apache.org/thread/4sd7p5z2cxp0l9wb2orw4n0gc9w348gw
> > > > > > >
> > > > > > > The release candidate:
> > > > > > > https://dist.apache.org/repos/dist/dev/poi/5.4.0-RC2/
> > > > > > >
> > > > > > >
> > > > > > > This release has been signed with a PGP key available here:
> > > > > > > https://downloads.apache.org/poi/KEYS
> > > > > > >
> > > > > > > Release Notes:
> > > > > > >
> > https://dist.apache.org/repos/dist/dev/poi/RELEASE-NOTES-5.4.0.txt
> > > > > > >
> > > > > > > I will add the svn tag REL_5_4_0 if the vote passes.
> > > > > > >
> > > > > > > Svn commit ID:
> > https://svn.apache.org/repos/asf/poi/trunk@1922754
> > > > > > >
> > > > > > > Please download, verify, and test.
> > > > > > >
> > > > > > >
> > > > > > > We have also staged jars in the Apache Nexus Repository.
> > > > > > > These were built with the same code as appears in this Source
> > Release
> > > > > > > Candidate.
> > > > > > > We would appreciate if users could test with these too.
> > > > > > >
> > > > > > > If anyone finds any serious problems with these jars, please
> also
> > > > > notify
> > > > > > > us on this thread.
> > > > > > >
> > > > > > >
> > https://repository.apache.org/content/groups/staging/org/apache/poi/
> > > > > > >
> > > > > > > In gradle, you can add this repository.
> > > > > > >
> > > > > > > maven {
> > > > > > >     url "https://repository.apache.org/content/groups/staging/
> "
> > > > > > > }
> > > > > > >
> > > > > > >
> > > > > > > The VOTE will pass if we have more positive votes than negative
> > votes
> > > > > > > and there must be a minimum of 3 approvals from POI PMC
> members.
> > > > > > >
> > > > > > > I will leave the vote open for at least a week.
> > > > > > >
> > > > > > > [ ] +1 approve
> > > > > > > [ ] +0 no opinion
> > > > > > > [ ] -1 disapprove with the reason
> > > > > > >
> > > > > > > To learn more about Apache POI, please see
> > https://poi.apache.org/
> > > > > > >
> > > > > > >
> > > > > > > Checklist for reference:
> > > > > > > [ ] Download links are valid.
> > > > > > > [ ] Checksums and signatures.
> > > > > > > [ ] LICENSE/NOTICE files exist
> > > > > > > [ ] No unexpected binary files
> > > > > > > [ ] Source files have ASF headers
> > > > > > > [ ] Can compile from source
> > > > > > >
> > > > > > > To compile from the source, please refer to:
> > > > > > > https://poi.apache.org/devel/index.html
> > > > > > >
> > > > > > > Some notes about verifying downloads can be found at:
> > > > > > > https://poi.apache.org/download.html
> > > > > > >
> > > > > > > Here is my +1 (binding).
> > > > > > >
> > > > > > > Thanks,
> > > > > > > PJ Fanning (Apache POI PMC member)
> > > > > > >
> > > > > > >
> > ---------------------------------------------------------------------
> > > > > > > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
> > > > > > > For additional commands, e-mail: dev-h...@poi.apache.org
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
> > > > > For additional commands, e-mail: dev-h...@poi.apache.org
> > > > >
> > > > >
> > > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
> > For additional commands, e-mail: dev-h...@poi.apache.org
> >
> >
>

Reply via email to