reschke commented on code in PR #2959:
URL: https://github.com/apache/jackrabbit-oak/pull/2959#discussion_r3433006986
##########
oak-blob-cloud-azure/pom.xml:
##########
@@ -285,7 +285,6 @@
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
- <version>33.1.0-jre</version>
Review Comment:
It seems there is a misunderstanding here.
Embedded dependencies which are not exported are not visible from the POV of
OSGi, and thus will not conflict. That's one of the reasons why this is used
here.
We need that Guava version right now. There's zero reason to pin the
version. It's set to the version the Azure SDK wants (and the SDK will go away
anyway).
##########
oak-examples/webapp/pom.xml:
##########
@@ -111,7 +111,7 @@
<dependency>
<groupId>com.googlecode.json-simple</groupId>
<artifactId>json-simple</artifactId>
- <version>1.1</version>
Review Comment:
That said: that library has been unmaintained for 12 years now; so it would
be better to look for a replacement.
##########
oak-run/src/main/java/org/apache/jackrabbit/oak/plugins/tika/CSVFileGenerator.java:
##########
@@ -46,6 +46,8 @@ public void generate(FluentIterable<BinaryResource> binaries)
throws IOException
CSVPrinter printer = new CSVPrinter(new BufferedWriter(new
FileWriter(outFile, StandardCharsets.UTF_8)),
CSVFileBinaryResourceProvider.FORMAT);
closer.register(printer);
+ // commons-csv 1.2+ no longer auto-writes the header on
construction; must be explicit
Review Comment:
-> https://issues.apache.org/jira/browse/OAK-12264
##########
oak-parent/pom.xml:
##########
@@ -855,6 +879,166 @@
<artifactId>jsr305</artifactId>
<version>3.0.2</version>
</dependency>
+ <!-- azure-keyvault-core:1.2.6 pulls guava:30.1.1-jre, conflicting with
the direct guava
+ deps in oak-blob-cloud-azure and oak-segment-azure. Additionally,
in reactor builds
+ Maven uses oak-shaded-guava's original pom.xml rather than
dependency-reduced-pom.xml,
+ so guava:33.5.0-jre also appears as a transitive dep (making guava
optional in
+ oak-shaded-guava would eliminate that false positive, but not the
azure-keyvault conflict). -->
+ <dependency>
+ <groupId>com.google.guava</groupId>
+ <artifactId>guava</artifactId>
+ <version>33.5.0-jre</version>
+ </dependency>
+ <!-- jackrabbit-core:2.22.3 pulls oak-jackrabbit-api:1.88.0 -->
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-jackrabbit-api</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <!-- oak-auth-ldap has a direct dep on 2.12.0; api-all:2.0.1 pulls 2.8.0
-->
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-pool2</artifactId>
+ <version>2.12.0</version>
+ </dependency>
+ <!-- oak-auth-ldap has a direct dep on 2.1.12; api-all:2.0.1 pulls 2.1.3
-->
+ <dependency>
+ <groupId>org.apache.mina</groupId>
+ <artifactId>mina-core</artifactId>
Review Comment:
We need to discuss this somewhere else, apparently.
##########
oak-run-commons/pom.xml:
##########
@@ -141,6 +141,10 @@
<groupId>org.apache.lucene</groupId>
<artifactId>lucene-core</artifactId>
</exclusion>
+ <!-- jackrabbit-core:2.22.3 (via jackrabbit-parent) declares
tika.version=2.4.1,
Review Comment:
The issue was caused by the change of a maven bundle. Before the change it
did not include Tika. That's what changed (and that's why the aforementioned
issue did not come up ages ago).
##########
oak-parent/pom.xml:
##########
@@ -706,6 +724,12 @@
<artifactId>caffeine</artifactId>
<version>3.1.8</version>
</dependency>
+ <!-- guava:33.5.0-jre pulls 2.41.0; caffeine:3.1.8 pulls 2.21.1 -->
Review Comment:
Where?
ChatGPT points out that these are annotations and that they are used in the
Caffeine API; so they are only relevant at Oak compile time. It might be
possbile to just exclude them, and that's what we should try first.
##########
oak-examples/webapp/pom.xml:
##########
@@ -111,7 +111,7 @@
<dependency>
<groupId>com.googlecode.json-simple</groupId>
<artifactId>json-simple</artifactId>
- <version>1.1</version>
Review Comment:
-> https://issues.apache.org/jira/browse/OAK-12265
##########
oak-parent/pom.xml:
##########
@@ -855,6 +879,166 @@
<artifactId>jsr305</artifactId>
<version>3.0.2</version>
</dependency>
+ <!-- azure-keyvault-core:1.2.6 pulls guava:30.1.1-jre, conflicting with
the direct guava
+ deps in oak-blob-cloud-azure and oak-segment-azure. Additionally,
in reactor builds
+ Maven uses oak-shaded-guava's original pom.xml rather than
dependency-reduced-pom.xml,
+ so guava:33.5.0-jre also appears as a transitive dep (making guava
optional in
+ oak-shaded-guava would eliminate that false positive, but not the
azure-keyvault conflict). -->
Review Comment:
Was that an AI? In any case it's completely ignorant of what this module is.
##########
oak-run/src/main/java/org/apache/jackrabbit/oak/plugins/tika/CSVFileGenerator.java:
##########
@@ -46,6 +46,8 @@ public void generate(FluentIterable<BinaryResource> binaries)
throws IOException
CSVPrinter printer = new CSVPrinter(new BufferedWriter(new
FileWriter(outFile, StandardCharsets.UTF_8)),
CSVFileBinaryResourceProvider.FORMAT);
closer.register(printer);
+ // commons-csv 1.2+ no longer auto-writes the header on
construction; must be explicit
Review Comment:
No.
When was the last time you had to bisect Oak's history to find a regression?
Why would a code change happen under a ticket with this title????
##########
oak-parent/pom.xml:
##########
@@ -855,6 +879,166 @@
<artifactId>jsr305</artifactId>
<version>3.0.2</version>
</dependency>
+ <!-- azure-keyvault-core:1.2.6 pulls guava:30.1.1-jre, conflicting with
the direct guava
+ deps in oak-blob-cloud-azure and oak-segment-azure. Additionally,
in reactor builds
+ Maven uses oak-shaded-guava's original pom.xml rather than
dependency-reduced-pom.xml,
+ so guava:33.5.0-jre also appears as a transitive dep (making guava
optional in
+ oak-shaded-guava would eliminate that false positive, but not the
azure-keyvault conflict). -->
+ <dependency>
+ <groupId>com.google.guava</groupId>
+ <artifactId>guava</artifactId>
+ <version>33.5.0-jre</version>
+ </dependency>
+ <!-- jackrabbit-core:2.22.3 pulls oak-jackrabbit-api:1.88.0 -->
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-jackrabbit-api</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <!-- oak-auth-ldap has a direct dep on 2.12.0; api-all:2.0.1 pulls 2.8.0
-->
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-pool2</artifactId>
+ <version>2.12.0</version>
+ </dependency>
+ <!-- oak-auth-ldap has a direct dep on 2.1.12; api-all:2.0.1 pulls 2.1.3
-->
+ <dependency>
+ <groupId>org.apache.mina</groupId>
+ <artifactId>mina-core</artifactId>
+ <version>2.1.12</version>
+ </dependency>
Review Comment:
FWIW, this is another case of intended embedding.
@rishabhdaim - can you open a ticket for the directory update?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
