Skip to content

Core-Common dependency management cleanup and optimization

Rustam Lotsmanenko (EPAM) requested to merge optimize-dependency-management into master

Description:

Issue: #1

  • Heavy dependencies were replaced with shallow ones.
  • For spring dependencies, the scope was changed to provided. This means that Core-Common consumers will define Spring dependencies by themselves (which is already happening).
  • All dependencies were bumped up.
  • Unused dependencies were removed.
  • The dependency management section was cleaned.
  • Added maven dependency plugin to simplify dependency maintenance.

Replacements:

  • spring-boot-starter-validation -> hibernate-validator, spring-boot-autoconfigure
  • spring-boot-starter-web -> spring-web
  • swagger-jaxrs -> swagger-models

mvn dependency:analyze report:

Before fix:

[WARNING] Unused declared dependencies found:
[WARNING]    org.springframework.boot:spring-boot-starter-web:jar:3.2.2:compile
[WARNING]    org.springframework.boot:spring-boot-starter-validation:jar:3.2.2:compile
[WARNING]    org.springframework:spring-webmvc:jar:6.1.3:compile
[WARNING]    jakarta.servlet:jakarta.servlet-api:jar:6.1.0-M1:provided
[WARNING]    com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.14.1:compile
[WARNING]    com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.14.1:compile
[WARNING]    io.swagger:swagger-jaxrs:jar:1.5.22:compile
[WARNING]    org.mockito:mockito-inline:jar:5.2.0:test

After fix:

[WARNING] Unused declared dependencies found:
[WARNING]    io.jsonwebtoken:jjwt:jar:0.12.5:compile
[WARNING]    io.swagger:swagger-models:jar:1.6.14:compile
[WARNING]    org.mockito:mockito-inline:jar:5.2.0:test

How to test:

Changes were tested via integration tests of Storage and Entitlements services:

Changes include:

  • Refactor (a non-breaking change that improves code maintainability).
  • Bugfix (a non-breaking change that solves an issue).
  • New feature (a non-breaking change that adds functionality).
  • Breaking change (a change that is not backward-compatible and/or changes current functionality).

Changes in:

  • Common code

Dev Checklist:

  • Added Unit Tests, wherever applicable.
  • Updated the Readme, if applicable.
  • Existing Tests pass
  • Verified functionality locally
  • Self Reviewed my code for formatting and complex business logic.

Other comments:

I was trying to upgrade all dependencies at once, but biz.paluch.redis.lettuce

    <dependency>
      <groupId>biz.paluch.redis</groupId>
      <artifactId>lettuce</artifactId>
      <version>${lettuce.version}</version>
    </dependency>

requires changing the dependency group id to io.lettuce, as biz.paluch.redis.lettuce is not supported anymore.

<dependency>
    <groupId>io.lettuce</groupId>
    <artifactId>lettuce-core</artifactId>
    <version>6.3.2.RELEASE</version>
</dependency>

This causes issues in consumer services and could increase impact.
Changes are not complex, imports need to be changed from com.lambdaworks.redis to io.lettuce.
But this will add overhead, anyone who going to upgrade core-common, should be aware of that change.
So lettuce was not upgraded, but it is worth doing so, if everyone agrees.
The current version is outdated and contains a lot of vulnerable dependencies.

image

Edited by Rustam Lotsmanenko (EPAM)

Merge request reports