The logs look like they come from Maven Enforcer and are based on the poms published to Maven Central.
https://maven.apache.org/enforcer/enforcer-rules/dependencyConvergence.html On Wed, 8 Jan 2025 at 21:16, Dave Fisher <w...@apache.org> wrote: > > > > > On Jan 8, 2025, at 11:13 AM, Tim Allison <talli...@apache.org> wrote: > > > > Thank you, all. I'm sorry for the noise. > > > > As you all point out, these are not a POI or even XMLBeans issue, and > > provided should be, ahem, provided. > > > > We added convergence checks in Tika after an irate downstream user > > complained. > > Just curious if the irate user complaint was based on SBOMs? If so, were they > using CycloneDS generated by a Maven build, or SPDX from GitHub’s Dependency > graph Insights? > > > On Tika, we "fix" the convergence problems by specifying the > > most recent version in the dependencyManagement section of our parent pom. > > This relies on the hope of backward compatibility for the more recent > > version for a conflict, and it also relies on unit tests and large scale > > regression testing (along the lines of what PJ (or was it Dominik?) > > suggested). > > > > Again, many thanks! > > Best, > Dave > > > > Cheers, > > > > Tim > > > > On Wed, Jan 8, 2025 at 12:41 PM Dominik Stadler > > <dominik.stad...@gmx.at.invalid> wrote: > > > >> Hi, > >> > >> To be honest, I also don't see too much value in applying such checks. > >> There will always be failures as soon as larger dependencies are added to a > >> project and it is nearly impossible to avoid it while at the same time > >> keeping dependencies up-to-date for fixing security issues. > >> > >> Dominik. > >> > >> > >> On Wed, Jan 8, 2025 at 4:09 PM PJ Fanning <fannin...@apache.org> wrote: > >> > >>> We won't be changing this for the release. > >>> I, personally, do not understand the use of strict dependency convergence > >>> checks. If you have a few dependencies and those dependencies have common > >>> transitive dependencies - you are almost guaranteed to have a convergence > >>> issue. > >>> Why should these tools not be intelligent enough to spot that log4j > >> 2.24.2 > >>> and 2.24.3 differ only at the patch level (semantic versioning)? > >>> For me, strict dependency convergence checks are a very poor substitute > >>> for users running acceptance tests when they want to change the versions > >> of > >>> their dependencies. > >>> You should also strongly consider adding more dependencies in your builds > >>> so that you control the version of the jars explicitly instead of relying > >>> on the versions in your transitive dependencies. This would also make > >> your > >>> dependency convergence checks happy. > >>> > >>> > >>> > >>> On 2025/01/08 14:47:10 Joep Weijers wrote: > >>>> Hi all, > >>>> Great to hear that 5.4.0 is almost released! I tested the version out > >>> and did notice the following dependency convergence issue on > >>> org.apache.logging.log4j:log4j-api: > >>>> (Small Maven quickstart archetype pom with a dependency on poi-ooxml > >>> 5.4.0, running `mvn dependency:tree -Dverbose > >>> -Dincludes=org.apache.logging.log4j:log4j-api`) > >>>> [INFO] --- dependency:3.6.1:tree (default-cli) @ test-poi-ooxml --- > >>>> [INFO] com.topdesk.test:test-poi-ooxml:jar:1.0-SNAPSHOT > >>>> [INFO] \- org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>> [INFO] +- org.apache.poi:poi:jar:5.4.0:compile > >>>> [INFO] | \- (org.apache.logging.log4j:log4j-api:jar:2.24.3:compile > >> - > >>> omitted for duplicate) > >>>> [INFO] +- org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>> [INFO] | \- (org.apache.logging.log4j:log4j-api:jar:2.24.2:compile > >> - > >>> omitted for conflict with 2.24.3) > >>>> [INFO] \- org.apache.logging.log4j:log4j-api:jar:2.24.3:compile > >>>> Not sure if you’d like to address this before release, but this would > >>> make our build with the dependencyConvergence rule enabled in the Maven > >>> enforcer plugin unhappy. For now I have fixed it by excluding the > >> log4j-api > >>> dependency from poi-ooxml. > >>>> Kind regards, > >>>> Joep Weijers > >>>> > >>>> On 2025/01/07 19:27:58 Tim Allison wrote: > >>>>> +1 > >>>>> > >>>>> Apologies for my delay. Looks good. > >>>>> > >>>>> Confirmed src.tgz digest > >>>>> Built locally and ran tests > >>>>> Integrated with Tika's main branch. > >>>>> > >>>>> Thank you PJ, Dominik and team! > >>>>> > >>>>> P.S. I did notice some convergence issues. I don't think these are a > >>>>> showstopper...not clear if we should fix these in XMLBeans or let > >>>>> downstream users fix them in the next release. > >>>>> > >>>>> [ERROR] Dependency convergence error for > >>>>> org.codehaus.plexus:plexus-utils:jar:3.5.1 paths to dependency are: > >>>>> [ERROR] > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>> [ERROR] +-org.apache.maven:maven-settings:jar:3.9.9:runtime > >>>>> [ERROR] > >> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > >>>>> [ERROR] and > >>>>> [ERROR] > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>> [ERROR] > >>> +-org.apache.maven:maven-settings-builder:jar:3.9.9:runtime > >>>>> [ERROR] > >> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > >>>>> [ERROR] and > >>>>> [ERROR] > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>> [ERROR] > >>> +-org.apache.maven:maven-settings-builder:jar:3.9.9:runtime > >>>>> [ERROR] > >>>>> +-org.codehaus.plexus:plexus-sec-dispatcher:jar:2.0:runtime > >>>>> [ERROR] > >>> +-org.codehaus.plexus:plexus-utils:jar:3.4.1:runtime > >>>>> [ERROR] and > >>>>> [ERROR] > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>> [ERROR] > >>>>> +-org.apache.maven:maven-repository-metadata:jar:3.9.9:runtime > >>>>> [ERROR] > >> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > >>>>> [ERROR] and > >>>>> [ERROR] > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>> [ERROR] +-org.apache.maven:maven-artifact:jar:3.9.9:runtime > >>>>> [ERROR] > >> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > >>>>> [ERROR] and > >>>>> [ERROR] > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>> [ERROR] > >>> +-org.apache.maven:maven-resolver-provider:jar:3.9.9:runtime > >>>>> [ERROR] > >> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > >>>>> [ERROR] and > >>>>> [ERROR] > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>> [ERROR] > >>>>> +-org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.9.0.M3:runtime > >>>>> [ERROR] > >> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > >>>>> [ERROR] and > >>>>> [ERROR] > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>> [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > >>>>> [ERROR] and > >>>>> [ERROR] > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>> [ERROR] +-org.apache.maven:maven-model:jar:3.9.9:runtime > >>>>> [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > >>>>> [ERROR] and > >>>>> [ERROR] > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>> [ERROR] +-org.apache.maven:maven-plugin-api:jar:3.9.9:runtime > >>>>> [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > >>>>> [ERROR] > >>>>> [ERROR] > >>>>> [ERROR] Dependency convergence error for > >>>>> org.codehaus.plexus:plexus-classworlds:jar:2.6.0 paths to dependency > >>> are: > >>>>> [ERROR] > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>> [ERROR] > >>>>> +-org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.9.0.M3:runtime > >>>>> [ERROR] > >>> +-org.codehaus.plexus:plexus-classworlds:jar:2.6.0:runtime > >>>>> [ERROR] and > >>>>> [ERROR] > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>> [ERROR] > >>> +-org.codehaus.plexus:plexus-classworlds:jar:2.8.0:runtime > >>>>> [ERROR] and > >>>>> [ERROR] > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>> [ERROR] +-org.apache.maven:maven-plugin-api:jar:3.9.9:runtime > >>>>> [ERROR] > >>> +-org.codehaus.plexus:plexus-classworlds:jar:2.8.0:runtime > >>>>> > >>>>> > >>>>> On Mon, Jan 6, 2025 at 4:56 PM PJ Fanning <fa...@apache.org> wrote: > >>>>> > >>>>>> We need at least 1 more review from a POI PMC member before we can > >>>>>> proceed. If anyone has time, it would be much appreciated. > >>>>>> > >>>>>> > >>>>>> On 2025/01/02 13:29:43 Dominik Stadler wrote: > >>>>>>> Hi, > >>>>>>> > >>>>>>> I tested the staged binaries with various projects and reviewed > >>> contents > >>>>>> of > >>>>>>> the source-distribution. Also compilation from source did work. > >> So > >>>>>>> everything fine as far as I see. > >>>>>>> > >>>>>>> I vote +1 for release! > >>>>>>> > >>>>>>> Thanks PJ for preparing the release! Dominik. > >>>>>>> > >>>>>>> On Sun, Dec 29, 2024 at 8:19 PM PJ Fanning > >> <fa...@yahoo.com.invalid > >>>> > >>>>>>> wrote: > >>>>>>> > >>>>>>>> Hello POI Community, > >>>>>>>> > >>>>>>>> This is a call for a vote to release Apache POI version 5.4.0 > >>> (RC2). > >>>>>>>> > >>>>>>>> The discussion thread: > >>>>>>>> > >> https://lists.apache.org/thread/4sd7p5z2cxp0l9wb2orw4n0gc9w348gw > >>>>>>>> > >>>>>>>> The release candidate: > >>>>>>>> https://dist.apache.org/repos/dist/dev/poi/5.4.0-RC2/ > >>>>>>>> > >>>>>>>> > >>>>>>>> This release has been signed with a PGP key available here: > >>>>>>>> https://downloads.apache.org/poi/KEYS > >>>>>>>> > >>>>>>>> Release Notes: > >>>>>>>> > >>> https://dist.apache.org/repos/dist/dev/poi/RELEASE-NOTES-5.4.0.txt > >>>>>>>> > >>>>>>>> I will add the svn tag REL_5_4_0 if the vote passes. > >>>>>>>> > >>>>>>>> Svn commit ID: > >>> https://svn.apache.org/repos/asf/poi/trunk@1922754 > >>>>>>>> > >>>>>>>> Please download, verify, and test. > >>>>>>>> > >>>>>>>> > >>>>>>>> We have also staged jars in the Apache Nexus Repository. > >>>>>>>> These were built with the same code as appears in this Source > >>> Release > >>>>>>>> Candidate. > >>>>>>>> We would appreciate if users could test with these too. > >>>>>>>> > >>>>>>>> If anyone finds any serious problems with these jars, please > >> also > >>>>>> notify > >>>>>>>> us on this thread. > >>>>>>>> > >>>>>>>> > >>> https://repository.apache.org/content/groups/staging/org/apache/poi/ > >>>>>>>> > >>>>>>>> In gradle, you can add this repository. > >>>>>>>> > >>>>>>>> maven { > >>>>>>>> url "https://repository.apache.org/content/groups/staging/ > >> " > >>>>>>>> } > >>>>>>>> > >>>>>>>> > >>>>>>>> The VOTE will pass if we have more positive votes than negative > >>> votes > >>>>>>>> and there must be a minimum of 3 approvals from POI PMC > >> members. > >>>>>>>> > >>>>>>>> I will leave the vote open for at least a week. > >>>>>>>> > >>>>>>>> [ ] +1 approve > >>>>>>>> [ ] +0 no opinion > >>>>>>>> [ ] -1 disapprove with the reason > >>>>>>>> > >>>>>>>> To learn more about Apache POI, please see > >>> https://poi.apache.org/ > >>>>>>>> > >>>>>>>> > >>>>>>>> Checklist for reference: > >>>>>>>> [ ] Download links are valid. > >>>>>>>> [ ] Checksums and signatures. > >>>>>>>> [ ] LICENSE/NOTICE files exist > >>>>>>>> [ ] No unexpected binary files > >>>>>>>> [ ] Source files have ASF headers > >>>>>>>> [ ] Can compile from source > >>>>>>>> > >>>>>>>> To compile from the source, please refer to: > >>>>>>>> https://poi.apache.org/devel/index.html > >>>>>>>> > >>>>>>>> Some notes about verifying downloads can be found at: > >>>>>>>> https://poi.apache.org/download.html > >>>>>>>> > >>>>>>>> Here is my +1 (binding). > >>>>>>>> > >>>>>>>> Thanks, > >>>>>>>> PJ Fanning (Apache POI PMC member) > >>>>>>>> > >>>>>>>> > >>> --------------------------------------------------------------------- > >>>>>>>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > >>>>>>>> For additional commands, e-mail: dev-h...@poi.apache.org > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >>>>>> > >> --------------------------------------------------------------------- > >>>>>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > >>>>>> For additional commands, e-mail: dev-h...@poi.apache.org > >>>>>> > >>>>>> > >>>>> > >>>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > >>> For additional commands, e-mail: dev-h...@poi.apache.org > >>> > >>> > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > For additional commands, e-mail: dev-h...@poi.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
