On previous detaches we faced the same issue 10-15 plugins dependencies and most of them outdated, I remember (tripled-ssh2, sshd), we made a cut on plugins not updated in the last two years (maybe three) that removed most of the problem. Those plugins with more than 2-3 years without updates are difficult to bump the Jenkins core version and dependencies, they do not depend on the BOM and make the update is a nightmare.
Regards Ivan Fernandez > El 23 ago 2022, a las 4:22, Basil Crow <[email protected]> escribió: > > I think detaching is riskier than I expected: a lot of plugins bundle > old copies of ASM (or depend on other plugins that do). With core's > copy no longer taking precedence, I fear that there might be a high > risk of regression with a detached plugin. Seems safer to deal with > each plugin on a case-by-case basis. > > I searched for usages of ASM (both direct and transitive) in both > open-source and proprietary plugins. After filtering out plugins that > bundled a recent (9.x) ASM JAR in their JPI, plugins whose only usage > of ASM was through Commons Compress Pack200 support (probably not > used), plugins with fewer than 1,000 installations, and plugins that > have already been deprecated, I came up with the following list: > > https://plugins.jenkins.io/analysis-model-api - via cglib (via Commons > Digester) and com.jayway.jsonpath/net.minidev:json-smart > https://plugins.jenkins.io/checkmarx - via xbean-reflect-3.7.jar > https://plugins.jenkins.io/clearcase - via cglib (via Commons Digester) > https://plugins.jenkins.io/clover - via cglib (via Commons Digester) > https://plugins.jenkins.io/cvs - via cglib (via Commons Digester) > https://plugins.jenkins.io/dependency-check-jenkins-plugin - via cglib > (via Commons Digester) > https://plugins.jenkins.io/deploy - via > org.glassfish.main.deployment:deployment-common > https://plugins.jenkins.io/git-changelog - via > com.jayway.jsonpath/net.minidev:json-smart > https://plugins.jenkins.io/github-autostatus - via JNR > https://plugins.jenkins.io/github-pr-coverage-status - via > com.jayway.jsonpath/net.minidev:json-smart > https://plugins.jenkins.io/hp-application-automation-tools-plugin - > com.jayway.jsonpath/net.minidev:json-smart > https://plugins.jenkins.io/jacoco - directly > https://plugins.jenkins.io/jnr-posix-api - via JNR > https://plugins.jenkins.io/kubernetes-pipeline-devops-steps - via JNR > https://plugins.jenkins.io/maven-dependency-update-trigger - via Plexus > https://plugins.jenkins.io/maven-info - via cglib (via Commons Digester) > https://plugins.jenkins.io/multibranch-scan-webhook-trigger - > com.jayway.jsonpath/net.minidev:json-smart > https://plugins.jenkins.io/pipeline-model-definition - directly > https://plugins.jenkins.io/scm-api - directly > https://plugins.jenkins.io/synopsys-coverity - via > com.jayway.jsonpath/net.minidev:json-smart > https://plugins.jenkins.io/teamconcert - via cglib (via Commons Digester) > https://plugins.jenkins.io/token-macro - via > com.jayway.jsonpath/net.minidev:json-smart > https://plugins.jenkins.io/warnings-ng - via > com.jayway.jsonpath/net.minidev:json-smart > > These could all be dealt with, but dealing with the long tail > (anything less than a few thousand installations) would be a huge > amount of work. If we expect someone to do that work for all the > plugins listed above, then count me out because the expected value is > just not worth the effort. If, on the other hand, we would be OK with > leaving behind a substantial number of the above plugins (especially > those that have only a few thousand installations and/or have not been > released in years), then I think this could be doable. > > -- > You received this message because you are subscribed to a topic in the Google > Groups "Jenkins Developers" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/jenkinsci-dev/NhV_o6zxbzw/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjpMgsj%3Dz1ZdF3Uu%3DAex6Nmro3Jm2%3DGzKtpuhTE5S3zcwA%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/117F794F-0B49-4F32-ACCB-B4754C8C0C17%40gmail.com.
