Y. On Wed, Jan 8, 2025 at 3:33 PM Dave Fisher <w...@apache.org> wrote:
> So the “provided” issue could be configuration of the enforcer. > > > Filtering Dependency Errors > > By default, all dependency convergence errors are reported, and any > single error will fail the build. If you want to tune which dependency > errors are reported and fail the build, you can add the following optional > parameters: > > > > • includes - A list of artifacts for which dependency convergence > should be enforced. Not specifying any includes is interpreted the same as > including all artifacts. > > • excludes - A list of artifacts for which dependency convergence > should not be enforced. These are exceptions to the includes. > > • excludedScopes - A list of scopes of artifacts for which > dependency convergence should not be enforced. Not specifying any scopes is > interpreted as having the following scopes excluded: provided, test. > > Best, > Dave > > > On Jan 8, 2025, at 12:19 PM, PJ Fanning <fannin...@gmail.com> wrote: > > > > The logs look like they come from Maven Enforcer and are based on the > > poms published to Maven Central. > > > > > https://maven.apache.org/enforcer/enforcer-rules/dependencyConvergence.html > > > > On Wed, 8 Jan 2025 at 21:16, Dave Fisher <w...@apache.org> wrote: > >> > >> > >> > >>> On Jan 8, 2025, at 11:13 AM, Tim Allison <talli...@apache.org> wrote: > >>> > >>> Thank you, all. I'm sorry for the noise. > >>> > >>> As you all point out, these are not a POI or even XMLBeans issue, and > >>> provided should be, ahem, provided. > >>> > >>> We added convergence checks in Tika after an irate downstream user > >>> complained. > >> > >> Just curious if the irate user complaint was based on SBOMs? If so, > were they using CycloneDS generated by a Maven build, or SPDX from GitHub’s > Dependency graph Insights? > >> > >>> On Tika, we "fix" the convergence problems by specifying the > >>> most recent version in the dependencyManagement section of our parent > pom. > >>> This relies on the hope of backward compatibility for the more recent > >>> version for a conflict, and it also relies on unit tests and large > scale > >>> regression testing (along the lines of what PJ (or was it Dominik?) > >>> suggested). > >>> > >>> Again, many thanks! > >> > >> Best, > >> Dave > >>> > >>> Cheers, > >>> > >>> Tim > >>> > >>> On Wed, Jan 8, 2025 at 12:41 PM Dominik Stadler > >>> <dominik.stad...@gmx.at.invalid> wrote: > >>> > >>>> Hi, > >>>> > >>>> To be honest, I also don't see too much value in applying such checks. > >>>> There will always be failures as soon as larger dependencies are > added to a > >>>> project and it is nearly impossible to avoid it while at the same time > >>>> keeping dependencies up-to-date for fixing security issues. > >>>> > >>>> Dominik. > >>>> > >>>> > >>>> On Wed, Jan 8, 2025 at 4:09 PM PJ Fanning <fannin...@apache.org> > wrote: > >>>> > >>>>> We won't be changing this for the release. > >>>>> I, personally, do not understand the use of strict dependency > convergence > >>>>> checks. If you have a few dependencies and those dependencies have > common > >>>>> transitive dependencies - you are almost guaranteed to have a > convergence > >>>>> issue. > >>>>> Why should these tools not be intelligent enough to spot that log4j > >>>> 2.24.2 > >>>>> and 2.24.3 differ only at the patch level (semantic versioning)? > >>>>> For me, strict dependency convergence checks are a very poor > substitute > >>>>> for users running acceptance tests when they want to change the > versions > >>>> of > >>>>> their dependencies. > >>>>> You should also strongly consider adding more dependencies in your > builds > >>>>> so that you control the version of the jars explicitly instead of > relying > >>>>> on the versions in your transitive dependencies. This would also make > >>>> your > >>>>> dependency convergence checks happy. > >>>>> > >>>>> > >>>>> > >>>>> On 2025/01/08 14:47:10 Joep Weijers wrote: > >>>>>> Hi all, > >>>>>> Great to hear that 5.4.0 is almost released! I tested the version > out > >>>>> and did notice the following dependency convergence issue on > >>>>> org.apache.logging.log4j:log4j-api: > >>>>>> (Small Maven quickstart archetype pom with a dependency on poi-ooxml > >>>>> 5.4.0, running `mvn dependency:tree -Dverbose > >>>>> -Dincludes=org.apache.logging.log4j:log4j-api`) > >>>>>> [INFO] --- dependency:3.6.1:tree (default-cli) @ test-poi-ooxml --- > >>>>>> [INFO] com.topdesk.test:test-poi-ooxml:jar:1.0-SNAPSHOT > >>>>>> [INFO] \- org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>>> [INFO] +- org.apache.poi:poi:jar:5.4.0:compile > >>>>>> [INFO] | \- > (org.apache.logging.log4j:log4j-api:jar:2.24.3:compile > >>>> - > >>>>> omitted for duplicate) > >>>>>> [INFO] +- org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>>> [INFO] | \- > (org.apache.logging.log4j:log4j-api:jar:2.24.2:compile > >>>> - > >>>>> omitted for conflict with 2.24.3) > >>>>>> [INFO] \- org.apache.logging.log4j:log4j-api:jar:2.24.3:compile > >>>>>> Not sure if you’d like to address this before release, but this > would > >>>>> make our build with the dependencyConvergence rule enabled in the > Maven > >>>>> enforcer plugin unhappy. For now I have fixed it by excluding the > >>>> log4j-api > >>>>> dependency from poi-ooxml. > >>>>>> Kind regards, > >>>>>> Joep Weijers > >>>>>> > >>>>>> On 2025/01/07 19:27:58 Tim Allison wrote: > >>>>>>> +1 > >>>>>>> > >>>>>>> Apologies for my delay. Looks good. > >>>>>>> > >>>>>>> Confirmed src.tgz digest > >>>>>>> Built locally and ran tests > >>>>>>> Integrated with Tika's main branch. > >>>>>>> > >>>>>>> Thank you PJ, Dominik and team! > >>>>>>> > >>>>>>> P.S. I did notice some convergence issues. I don't think these are > a > >>>>>>> showstopper...not clear if we should fix these in XMLBeans or let > >>>>>>> downstream users fix them in the next release. > >>>>>>> > >>>>>>> [ERROR] Dependency convergence error for > >>>>>>> org.codehaus.plexus:plexus-utils:jar:3.5.1 paths to dependency are: > >>>>>>> [ERROR] > >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>>>> [ERROR] +-org.apache.maven:maven-settings:jar:3.9.9:runtime > >>>>>>> [ERROR] > >>>> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > >>>>>>> [ERROR] and > >>>>>>> [ERROR] > >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>>>> [ERROR] > >>>>> +-org.apache.maven:maven-settings-builder:jar:3.9.9:runtime > >>>>>>> [ERROR] > >>>> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > >>>>>>> [ERROR] and > >>>>>>> [ERROR] > >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>>>> [ERROR] > >>>>> +-org.apache.maven:maven-settings-builder:jar:3.9.9:runtime > >>>>>>> [ERROR] > >>>>>>> +-org.codehaus.plexus:plexus-sec-dispatcher:jar:2.0:runtime > >>>>>>> [ERROR] > >>>>> +-org.codehaus.plexus:plexus-utils:jar:3.4.1:runtime > >>>>>>> [ERROR] and > >>>>>>> [ERROR] > >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>>>> [ERROR] > >>>>>>> +-org.apache.maven:maven-repository-metadata:jar:3.9.9:runtime > >>>>>>> [ERROR] > >>>> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > >>>>>>> [ERROR] and > >>>>>>> [ERROR] > >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>>>> [ERROR] +-org.apache.maven:maven-artifact:jar:3.9.9:runtime > >>>>>>> [ERROR] > >>>> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > >>>>>>> [ERROR] and > >>>>>>> [ERROR] > >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>>>> [ERROR] > >>>>> +-org.apache.maven:maven-resolver-provider:jar:3.9.9:runtime > >>>>>>> [ERROR] > >>>> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > >>>>>>> [ERROR] and > >>>>>>> [ERROR] > >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>>>> [ERROR] > >>>>>>> +-org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.9.0.M3:runtime > >>>>>>> [ERROR] > >>>> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > >>>>>>> [ERROR] and > >>>>>>> [ERROR] > >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>>>> [ERROR] > +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > >>>>>>> [ERROR] and > >>>>>>> [ERROR] > >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>>>> [ERROR] +-org.apache.maven:maven-model:jar:3.9.9:runtime > >>>>>>> [ERROR] > +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > >>>>>>> [ERROR] and > >>>>>>> [ERROR] > >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>>>> [ERROR] +-org.apache.maven:maven-plugin-api:jar:3.9.9:runtime > >>>>>>> [ERROR] > +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > >>>>>>> [ERROR] > >>>>>>> [ERROR] > >>>>>>> [ERROR] Dependency convergence error for > >>>>>>> org.codehaus.plexus:plexus-classworlds:jar:2.6.0 paths to > dependency > >>>>> are: > >>>>>>> [ERROR] > >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>>>> [ERROR] > >>>>>>> +-org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.9.0.M3:runtime > >>>>>>> [ERROR] > >>>>> +-org.codehaus.plexus:plexus-classworlds:jar:2.6.0:runtime > >>>>>>> [ERROR] and > >>>>>>> [ERROR] > >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > >>>>>>> [ERROR] > >>>>> +-org.codehaus.plexus:plexus-classworlds:jar:2.8.0:runtime > >>>>>>> [ERROR] and > >>>>>>> [ERROR] > >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > >>>>>>> [ERROR] +-org.apache.maven:maven-plugin-api:jar:3.9.9:runtime > >>>>>>> [ERROR] > >>>>> +-org.codehaus.plexus:plexus-classworlds:jar:2.8.0:runtime > >>>>>>> > >>>>>>> > >>>>>>> On Mon, Jan 6, 2025 at 4:56 PM PJ Fanning <fa...@apache.org> > wrote: > >>>>>>> > >>>>>>>> We need at least 1 more review from a POI PMC member before we can > >>>>>>>> proceed. If anyone has time, it would be much appreciated. > >>>>>>>> > >>>>>>>> > >>>>>>>> On 2025/01/02 13:29:43 Dominik Stadler wrote: > >>>>>>>>> Hi, > >>>>>>>>> > >>>>>>>>> I tested the staged binaries with various projects and reviewed > >>>>> contents > >>>>>>>> of > >>>>>>>>> the source-distribution. Also compilation from source did work. > >>>> So > >>>>>>>>> everything fine as far as I see. > >>>>>>>>> > >>>>>>>>> I vote +1 for release! > >>>>>>>>> > >>>>>>>>> Thanks PJ for preparing the release! Dominik. > >>>>>>>>> > >>>>>>>>> On Sun, Dec 29, 2024 at 8:19 PM PJ Fanning > >>>> <fa...@yahoo.com.invalid > >>>>>> > >>>>>>>>> wrote: > >>>>>>>>> > >>>>>>>>>> Hello POI Community, > >>>>>>>>>> > >>>>>>>>>> This is a call for a vote to release Apache POI version 5.4.0 > >>>>> (RC2). > >>>>>>>>>> > >>>>>>>>>> The discussion thread: > >>>>>>>>>> > >>>> https://lists.apache.org/thread/4sd7p5z2cxp0l9wb2orw4n0gc9w348gw > >>>>>>>>>> > >>>>>>>>>> The release candidate: > >>>>>>>>>> https://dist.apache.org/repos/dist/dev/poi/5.4.0-RC2/ > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> This release has been signed with a PGP key available here: > >>>>>>>>>> https://downloads.apache.org/poi/KEYS > >>>>>>>>>> > >>>>>>>>>> Release Notes: > >>>>>>>>>> > >>>>> https://dist.apache.org/repos/dist/dev/poi/RELEASE-NOTES-5.4.0.txt > >>>>>>>>>> > >>>>>>>>>> I will add the svn tag REL_5_4_0 if the vote passes. > >>>>>>>>>> > >>>>>>>>>> Svn commit ID: > >>>>> https://svn.apache.org/repos/asf/poi/trunk@1922754 > >>>>>>>>>> > >>>>>>>>>> Please download, verify, and test. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> We have also staged jars in the Apache Nexus Repository. > >>>>>>>>>> These were built with the same code as appears in this Source > >>>>> Release > >>>>>>>>>> Candidate. > >>>>>>>>>> We would appreciate if users could test with these too. > >>>>>>>>>> > >>>>>>>>>> If anyone finds any serious problems with these jars, please > >>>> also > >>>>>>>> notify > >>>>>>>>>> us on this thread. > >>>>>>>>>> > >>>>>>>>>> > >>>>> https://repository.apache.org/content/groups/staging/org/apache/poi/ > >>>>>>>>>> > >>>>>>>>>> In gradle, you can add this repository. > >>>>>>>>>> > >>>>>>>>>> maven { > >>>>>>>>>> url "https://repository.apache.org/content/groups/staging/ > >>>> " > >>>>>>>>>> } > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> The VOTE will pass if we have more positive votes than negative > >>>>> votes > >>>>>>>>>> and there must be a minimum of 3 approvals from POI PMC > >>>> members. > >>>>>>>>>> > >>>>>>>>>> I will leave the vote open for at least a week. > >>>>>>>>>> > >>>>>>>>>> [ ] +1 approve > >>>>>>>>>> [ ] +0 no opinion > >>>>>>>>>> [ ] -1 disapprove with the reason > >>>>>>>>>> > >>>>>>>>>> To learn more about Apache POI, please see > >>>>> https://poi.apache.org/ > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Checklist for reference: > >>>>>>>>>> [ ] Download links are valid. > >>>>>>>>>> [ ] Checksums and signatures. > >>>>>>>>>> [ ] LICENSE/NOTICE files exist > >>>>>>>>>> [ ] No unexpected binary files > >>>>>>>>>> [ ] Source files have ASF headers > >>>>>>>>>> [ ] Can compile from source > >>>>>>>>>> > >>>>>>>>>> To compile from the source, please refer to: > >>>>>>>>>> https://poi.apache.org/devel/index.html > >>>>>>>>>> > >>>>>>>>>> Some notes about verifying downloads can be found at: > >>>>>>>>>> https://poi.apache.org/download.html > >>>>>>>>>> > >>>>>>>>>> Here is my +1 (binding). > >>>>>>>>>> > >>>>>>>>>> Thanks, > >>>>>>>>>> PJ Fanning (Apache POI PMC member) > >>>>>>>>>> > >>>>>>>>>> > >>>>> --------------------------------------------------------------------- > >>>>>>>>>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > >>>>>>>>>> For additional commands, e-mail: dev-h...@poi.apache.org > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>>> > >>>> --------------------------------------------------------------------- > >>>>>>>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > >>>>>>>> For additional commands, e-mail: dev-h...@poi.apache.org > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>>> --------------------------------------------------------------------- > >>>>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > >>>>> For additional commands, e-mail: dev-h...@poi.apache.org > >>>>> > >>>>> > >>>> > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > >> For additional commands, e-mail: dev-h...@poi.apache.org > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > > For additional commands, e-mail: dev-h...@poi.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > For additional commands, e-mail: dev-h...@poi.apache.org > >
