[ 
https://issues.apache.org/jira/browse/OFBIZ-9674?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16358124#comment-16358124
 ] 

Jacques Le Roux commented on OFBIZ-9674:
----------------------------------------

Hi Michael, Julian,

I today ran "gradlew dependencyUpdates -Drevision=release" again and got this 
result
{noformat}

------------------------------------------------------------
: Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest release version:
 - org.apache.axis2:axis2-kernel:1.7.7
 - org.apache.axis2:axis2-transport-http:1.7.7
 - org.apache.axis2:axis2-transport-local:1.7.7
 - net.sf.barcode4j:barcode4j:2.1
 - net.sf.barcode4j:barcode4j-fop-ext:2.1
 - org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380
 - commons-cli:commons-cli:1.4
 - org.apache.commons:commons-collections4:4.1
 - org.apache.commons:commons-csv:1.5
 - org.apache.commons:commons-dbcp2:2.2.0
 - commons-net:commons-net:3.6
 - commons-validator:commons-validator:1.6
 - com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru:1.4.2
 - org.apache.derby:derby:10.14.1.0
 - org.owasp.esapi:esapi:2.1.0.1
 - com.googlecode.ez-vcard:ez-vcard:0.9.10
 - org.apache.xmlgraphics:fop:2.2
 - org.freemarker:freemarker:2.3.27-incubating
 - org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1
 - org.apache.geronimo.components:geronimo-transaction:3.1.4
 - at.bxm.gradleplugins:gradle-svntools-plugin:2.2.1
 - com.github.ben-manes:gradle-versions-plugin:0.17.0
 - com.google.guava:guava:20.0
 - org.hamcrest:hamcrest-all:1.3
 - net.fortuna.ical4j:ical4j:1.0-rc3-atlassian-11
 - com.ibm.icu:icu4j:60.2
 - org.zapodot:jackson-databind-java-optional:2.6.1
 - javax.el:javax.el-api:3.0.1-b04
 - com.sun.mail:javax.mail:1.6.0
 - javax.servlet:javax.servlet-api:4.0.0
 - javax.servlet.jsp:javax.servlet.jsp-api:2.3.2-b02
 - io.jsonwebtoken:jjwt:0.9.0
 - org.jsoup:jsoup:1.11.2
 - de.odysseus.juel:juel-impl:2.2.7
 - de.odysseus.juel:juel-spi:2.2.7
 - org.safehaus.jug:jug:2.0.0
 - junit:junit:4.12
 - junit:junit-dep:4.11
 - org.apache.logging.log4j:log4j-1.2-api:2.10.0
 - org.apache.logging.log4j:log4j-api:2.10.0
 - org.apache.logging.log4j:log4j-core:2.10.0
 - org.apache.logging.log4j:log4j-jul:2.10.0
 - org.apache.logging.log4j:log4j-slf4j-impl:2.10.0
 - org.apache.lucene:lucene-analyzers-common:7.2.1
 - org.apache.lucene:lucene-core:7.2.1
 - org.apache.lucene:lucene-queryparser:7.2.1
 - org.mockito:mockito-core:2.13.0
 - oro:oro:2.0.8
 - org.apache.poi:poi:3.17
 - org.apache.shiro:shiro-core:1.4.0
 - org.apache.solr:solr-core:7.2.1
 - org.eclipse.birt.runtime:viewservlets:4.5.0
 - wsdl4j:wsdl4j:1.6.3
 - apache-xerces:xercesImpl:2.9.1
 - org.apache.xmlrpc:xmlrpc-client:3.1.3
 - org.apache.xmlrpc:xmlrpc-server:3.1.3
 - com.thoughtworks.xstream:xstream:1.4.10

The following dependencies exceed the version found at the release revision 
level:
 - com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer 
[20170515.1 <- 1.1]

The following dependencies have later release versions:
 - org.apache.ant:ant-junit [1.9.7 -> 1.10.2]
 - org.jasig.cas:cas-server-core [3.3.5 -> 4.2.7]
 - com.google.zxing:core [3.3.1 -> 3.3.2]
 - org.codehaus.groovy:groovy-all [2.4.13 -> 3.0.0-alpha-1]
 - org.apache.httpcomponents:httpclient-cache [4.5.4 -> 4.5.5]
 - com.lowagie:itext [4.2.0 -> 4.2.2]
 - com.googlecode.libphonenumber:libphonenumber [8.8.7 -> 8.8.11]
 - org.apache.poi:poi-excelant [3.14 -> 3.17]
 - org.apache.poi:poi-ooxml [3.14 -> 3.17]
 - org.apache.poi:poi-ooxml-schemas [3.14 -> 3.17]
 - org.apache.poi:poi-scratchpad [3.14 -> 3.17]
 - org.springframework:spring-test [5.0.2.RELEASE -> 5.0.3.RELEASE]
 - org.apache.tika:tika-core [1.16 -> 1.17]
 - org.apache.tika:tika-parsers [1.16 -> 1.17]
 - org.apache.tomcat:tomcat-catalina [8.5.24 -> 9.0.4]
 - org.apache.tomcat:tomcat-catalina-ha [8.5.24 -> 9.0.4]
 - org.apache.tomcat.embed:tomcat-embed-websocket [8.5.23 -> 9.0.4]
 - org.apache.tomcat:tomcat-jasper [8.5.24 -> 9.0.4]
 - org.apache.tomcat:tomcat-tribes [8.5.24 -> 9.0.4]

Failed to determine the latest version for the following dependencies (use 
--info for details):
 - com.sun.syndication:com.springsource.com.sun.syndication
 - org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec
{noformat}

I suggest that we run this from time to time (I think every quarter is enough) 
and update libs when needed. What do you think? I think we should create a new 
Jira each time, right?

> Update build.gradle to the latest dependencies
> ----------------------------------------------
>
>                 Key: OFBIZ-9674
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9674
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL COMPONENTS
>    Affects Versions: Trunk
>            Reporter: Michael Brohl
>            Assignee: Michael Brohl
>            Priority: Minor
>             Fix For: 17.12.01
>
>         Attachments: OFBIZ-9674_Update_buildgradle.patch
>
>
> I wondered how up-to-date our project dependencies are and searched for an 
> efficient way how to check this. I found the gradle-versions-plugin [1] which 
> analyzes the dependencies and checks if there are newer versions available.
> I ran the check with 
> {code:java}
> ./gradlew dependencyUpdates -Drevision=release
> {code}
> and got the following result:
> ------------------------------------------------------------
> : Project Dependency Updates (report to plain text file)
> ------------------------------------------------------------
> The following dependencies are using the latest release version:
>  - net.sf.barcode4j:barcode4j:2.1
>  - net.sf.barcode4j:barcode4j-fop-ext:2.1
>  - org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380
>  - org.apache.commons:commons-collections4:4.1
>  - com.googlecode.ez-vcard:ez-vcard:0.9.10
>  - org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1
>  - org.apache.geronimo.components:geronimo-transaction:3.1.4
>  - at.bxm.gradleplugins:gradle-svntools-plugin:2.2.1
>  - com.github.ben-manes:gradle-versions-plugin:0.15.0
>  - org.hamcrest:hamcrest-all:1.3
>  - net.fortuna.ical4j:ical4j:1.0-rc3-atlassian-11
>  - javax.el:javax.el-api:3.0.1-b04
>  - de.odysseus.juel:juel-impl:2.2.7
>  - de.odysseus.juel:juel-spi:2.2.7
>  - junit:junit:4.12
>  - oro:oro:2.0.8
>  - apache-xerces:xercesImpl:2.9.1
> The following dependencies exceed the version found at the release revision 
> level:
>  - com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer 
> [20160628.1 <- 1.1]
> The following dependencies have later release versions:
>  - org.apache.ant:ant-junit [1.9.0 -> 1.10.1]
>  - org.apache.ant:ant-junit [1.9.7 -> 1.10.1]
>  - org.apache.axis2:axis2-kernel [1.7.1 -> 1.7.6]
>  - org.apache.axis2:axis2-transport-http [1.7.1 -> 1.7.6]
>  - org.apache.axis2:axis2-transport-local [1.7.1 -> 1.7.6]
>  - commons-cli:commons-cli [1.3.1 -> 1.4]
>  - org.apache.commons:commons-csv [1.1 -> 1.5]
>  - org.apache.commons:commons-dbcp2 [2.1 -> 2.1.1]
>  - commons-net:commons-net [3.3 -> 3.6]
>  - commons-validator:commons-validator [1.5.1 -> 1.6]
>  - com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru [1.0 -> 
> 1.4.2]
>  - com.google.zxing:core [3.2.1 -> 3.3.0]
>  - org.apache.derby:derby [10.11.1.1 -> 10.13.1.1]
>  - org.owasp.esapi:esapi [2.1.0 -> 2.1.0.1]
>  - org.apache.xmlgraphics:fop [2.1 -> 2.2]
>  - org.freemarker:freemarker [2.3.25-incubating -> 2.3.26-incubating]
>  - org.codehaus.groovy:groovy-all [2.4.12 -> 2.5.0-beta-1]
>  - org.apache.httpcomponents:httpclient-cache [4.4.1 -> 4.5.3]
>  - com.ibm.icu:icu4j [57.1 -> 59.1]
>  - com.lowagie:itext [2.1.7 -> 4.2.2]
>  - org.zapodot:jackson-databind-java-optional [2.4.2 -> 2.6.1]
>  - com.sun.mail:javax.mail [1.5.1 -> 1.6.0]
>  - javax.servlet:javax.servlet-api [3.1.0 -> 4.0.0]
>  - javax.servlet.jsp:javax.servlet.jsp-api [2.3.0 -> 2.3.2-b02]
>  - junit:junit-dep [4.10 -> 4.11]
>  - com.googlecode.libphonenumber:libphonenumber [8.6.0 -> 8.8.0]
>  - org.apache.logging.log4j:log4j-1.2-api [2.6.2 -> 2.9.0]
>  - org.apache.logging.log4j:log4j-api [2.6.2 -> 2.9.0]
>  - org.apache.logging.log4j:log4j-core [2.6.2 -> 2.9.0]
>  - org.apache.logging.log4j:log4j-jul [2.6.2 -> 2.9.0]
>  - org.apache.logging.log4j:log4j-slf4j-impl [2.6.2 -> 2.9.0]
>  - org.mockito:mockito-core [1.10.19 -> 2.9.0]
>  - org.apache.poi:poi [3.14 -> 3.17-beta1]
>  - org.apache.shiro:shiro-core [1.3.0 -> 1.4.0]
>  - org.springframework:spring-test [4.2.3.RELEASE -> 4.3.10.RELEASE]
>  - org.apache.tika:tika-core [1.12 -> 1.16]
>  - org.apache.tika:tika-parsers [1.12 -> 1.16]
>  - org.apache.tomcat:tomcat-catalina [8.5.16 -> 9.0.0.M26]
>  - org.apache.tomcat:tomcat-catalina-ha [8.5.16 -> 9.0.0.M25]
>  - org.apache.tomcat:tomcat-jasper [8.5.16 -> 9.0.0.M26]
>  - org.apache.tomcat:tomcat-tribes [8.5.16 -> 9.0.0.M25]
>  - wsdl4j:wsdl4j [1.6.2 -> 1.6.3]
>  - org.apache.xmlrpc:xmlrpc-client [3.1.2 -> 3.1.3]
>  - org.apache.xmlrpc:xmlrpc-server [3.1.2 -> 3.1.3]
>  - com.thoughtworks.xstream:xstream [1.4.9 -> 1.4.10]
> Failed to determine the latest version for the following dependencies (use 
> --info for details):
>  - com.sun.syndication:com.springsource.com.sun.syndication
>  - org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec
> Generated report file build/dependencyUpdates/report.txt
> ===
> If there are no objections, I would try to update the dependencies to the 
> latest release versions, which means I would skip the milestone versions for 
> e.g. Tomcat here.
> We can run this check from time to time to see if we have missed updates to 
> the dependencies.
> What do you think? Is this reasonable?
> Thanks,
> Michael
> [1] https://github.com/ben-manes/gradle-versions-plugin



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to