Skip to content

Switching the dependencies to release versions

David Diederich requested to merge remove-snapshot-dependencies into master

This changes the library dependencies to use released versions of the core libraries. They were previously depending on SNAPSHOT versions, which is a less stable version. More importantly, the SNAPSHOT versions are periodically purged from the system to save disk space -- this happened recently. Since these libraries no longer exist on community, building Indexer becomes difficult.

In this case, the fossa-analyze step is unable to run the mvn dependency:tree for these two components. Later, it complains about incompatible licenses using Elasticsearch 7.11. However, we're actually using version 7.8, which was still Apache 2.0 licensed. I believe that the inability to run mvn dependency:tree led FOSSA to textually scan the pom.xml file, where it found elasticsearch dependencies with no version specified and assumed the latest available.

This MR moves those dependencies to a release version, which is better going forward and allows FOSSA to do the build and get good dependency information. I assert that there are no substantial changes between the SNAPSHOT version I moved from and the latest release version that I moved to. It's difficult to know which commit the SNAPSHOT dependency linked to, since it moved many times, but here are the differences from the last time the SNAPSHOT dependency was listed and the one commit that has the release version (0.7.0). All of these changes were from me, updating versions and references as part of the release process.

Separately, since I was working with FOSSA, I updated the configuration file and the corresponding NOTICE changes resulting from the new module.

Edited by David Diederich

Merge request reports