[TDB-19854/3.11] - Refactor the Demos to remove vulnerable dependencies (backport of master)#3315
Open
aurbroszniowski wants to merge 1 commit intoehcache:release/3.11from
Conversation
aurbroszniowski
changed the title
…) and add slf4j exclusions on Terracotta dependencies (statistics, offheap-store, sizeof, terracotta-utilities-tools) that declare the conflicting 1.7 range - Fix Java deprecation/removal warnings treated as errors by -Werror - Add missing javax.xml.bind:jaxb-api to xjcToolJakarta configuration to fix ClassNotFoundException during Jakarta XJC code generation - Add javadocAdd/jakartaJavadocAdd classpath configurations in ehcache/build.gradle (spotbugs-annotations, jaxb-api) and clustered/ehcache-clustered/build.gradle (ehcache-common-api, ehcache-common) required for javadocJar tasks in the assemble chain - Backport of TDB-19854 (master/3.12): upgrade SpotBugs to 4.9.8, AssertJ to 3.27.7, Mockito to 5.12.0, ByteBuddy to 1.18.3; rewrite demos to use embedded Jetty 12 instead of Gretty; refactor SPI tests to use JUnit 4 rules; update Mockito 5 API usage (MockitoAnnotations, ArgumentMatchers); fix SpotBugs annotation usages - Address compilation errors and test failures introduced by upgrading slf4j from 1.7.x to 2.0.17 - PR build with java 17
aurbroszniowski
force-pushed
the
TDB-19853-upgrade-dependencies-3.11
branch
from
9635006 to
547c334
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of TDB-19854/master (commit d532bbc)
This was a dependency upgrade commit applied to master. Since this branch targets the same dependency upgrade goal for 3.11, those changes (SpotBugs, AssertJ, Mockito, ByteBuddy version bumps; demos rewrite; SPI test refactoring; API usage fixes) needed to be replicated here.
Upgrade slf4j-api 1.7.36 to 2.0.17
Logback was upgraded to 1.5.26, which requires SLF4J 2.x.
Add slf4j exclusions on Terracotta dependencies statistics (and other Terracotta libs) that declare SLF4J with the range [1.7.32,1.7.9999), which excludes 2.0.17.
Replace Class.newInstance() with getDeclaredConstructor().newInstance()
Class.newInstance() is deprecated. The project compiles with -Werror -Xlint:all, which promotes deprecation warnings to errors, so the build fails.
Suppress finalize() deprecation
Same -Werror issue.
Suppress Proxy.getProxyClass() deprecation
Also deprecated, same -Werror issue.
Add jaxb-api to xjcToolJakarta configuration
The XJC code generator needs the JAXB API jar. This dependency was present in master but missing in the 3.11 branch, causing a ClassNotFoundException at generation time.
Add javadocAdd/jakartaJavadocAdd classpath configurations
The source code references types from spotbugs-annotations (e.g. @checkfornull, @nonnull) and jaxb-api, which the javadoc tool needs on its classpath. These configurations existed in master but were absent in the 3.11 branch. They are required (not optional) because javadocJar is a dependency in the assemble task.
OSGi + SLF4J 2.x (osgi-test/build.gradle, clustered/osgi-test/build.gradle, OsgiTestUtils.java): SLF4J 2.x uses ServiceLoader and requires the osgi.serviceloader.processor extender capability, provided by Apache Aries SPIFly. SPIFly requires ASM 9.x (pulled in transitively). Added SPIFly to osgiModule configurations;
Deprecated wrapper constructors (StateRepositoryWhitelistingTest.java, ClusteredStoreTest.java, IntegrationConfigurationTest.java, OverSizeMappingTest.java): new Integer(x), new Long(x) constructors are deprecated for removal. Replaced with Integer.valueOf(), Long.valueOf().hashCode(), or primitive literals as appropriate.
@jdk.internal.vm.annotation.Contended removal (ConcurrentHashMap.java): matches master
AccessController.doPrivileged() suppression (ClassLoading.java): -Werror failure
ByteBuffer.flip() cast suppression: -Werror failure
BOB review pass to validate the changes.