Skip to content

Remove SNAPSHOT dependencies

David Diederich requested to merge remove-snapshot-dependencies into master

This automated MR removes usage of SNAPSHOT versions in the first party library dependencies. Since SNAPSHOT dependencies change frequently -- by their nature -- usage of them across projects is dangerous and should be avoided.

Dependency Information Before the Upgrade

Branch: master
SHA:    45ee5835fd1c5e522c70016d7f03f6fd0066563f
Maven:  0.17.0-SNAPSHOT
Maven Dependencies Root testing/
core-lib-azure 0.14.0-rc2 0.6.1
core-lib-gcp 0.15.0
os-core-lib-aws 0.16.0-SNAPSHOT 0.13.0, 0.3.16
obm 0.15.0
oqm 0.15.0
os-core-common 0.13.0 0.13.0
os-core-lib-ibm 0.16.0-rc1 0.15.2, 0.7.0
os-schema-core 0.17.0-SNAPSHOT 0.16.0-SNAPSHOT
os-schema-test-anthos 0.17.0-SNAPSHOT
os-schema-test-gcp 0.17.0-SNAPSHOT
osm 0.15.0
(3rd Party) com.fasterxml.jackson.core.jackson-databind 2.13.2.2, 2.11.4 2.13.2.2, 2.11.3
(3rd Party) net.minidev.json-smart 2.4.7 2.3
(3rd Party) org.apache.logging.log4j.log4j-api 2.17.1 2.13.3
(3rd Party) org.apache.logging.log4j.log4j-core 2.17.1 2.13.3
(3rd Party) org.apache.logging.log4j.log4j-jul 2.17.1 2.13.3
(3rd Party) org.apache.logging.log4j.log4j-slf4j-impl 2.17.1 2.13.3
(3rd Party) org.springframework.spring-webflux 5.3.12
(3rd Party) org.springframework.spring-webmvc 5.3.22 5.3.22
Critical: Found Vulnerable Jackson Databind dependency (<2.12.6.1 || >=2.13.0 <2.13.2.1)
├─ _Root_
│  └─ org.opengroup.osdu.os-schema-gcp == 0.17.0-SNAPSHOT
│     └─ org.opengroup.osdu.os-schema-core == 0.17.0-SNAPSHOT
│        └─ com.fasterxml.jackson.core.jackson-databind == 2.11.4
└─ testing/
└─ org.opengroup.osdu.schema-test-azure == 0.17.0-SNAPSHOT
└─ org.opengroup.osdu.os-schema-core == 0.16.0-SNAPSHOT
└─ com.fasterxml.jackson.core.jackson-databind == 2.11.3
Critical: Found Vulnerable Spring WebFlux dependency (<5.2.20 || >=5.3.0 <5.3.18)
└─ _Root_
└─ org.opengroup.osdu.os-schema-azure == 0.17.0-SNAPSHOT
└─ com.azure.spring.azure-spring-boot-starter-active-directory == 3.4.0
└─ org.springframework.boot.spring-boot-starter-webflux == 2.4.12
└─ org.springframework.spring-webflux == 5.3.12

Dependency Information After the Upgrade

Branch: remove-snapshot-dependencies
SHA:    56a9a5d20aceb322f62ce5d4827bcc7cd6a44380
Maven:  0.17.0-SNAPSHOT
Maven Dependencies Root testing/
core-lib-azure 0.14.0-rc2 0.6.1
core-lib-gcp 0.15.0
os-core-lib-aws 0.16.1 0.13.0, 0.3.16
obm 0.15.0
oqm 0.15.0
os-core-common 0.13.0 0.13.0
os-core-lib-ibm 0.16.0-rc1 0.15.2, 0.7.0
os-schema-core 0.17.0-SNAPSHOT 0.16.0-SNAPSHOT
os-schema-test-anthos 0.17.0-SNAPSHOT
os-schema-test-gcp 0.17.0-SNAPSHOT
osm 0.15.0
(3rd Party) com.fasterxml.jackson.core.jackson-databind 2.13.2.2, 2.11.4 2.13.2.2, 2.11.3
(3rd Party) net.minidev.json-smart 2.4.7 2.3
(3rd Party) org.apache.logging.log4j.log4j-api 2.17.1 2.13.3
(3rd Party) org.apache.logging.log4j.log4j-core 2.17.1 2.13.3
(3rd Party) org.apache.logging.log4j.log4j-jul 2.17.1 2.13.3
(3rd Party) org.apache.logging.log4j.log4j-slf4j-impl 2.17.1 2.13.3
(3rd Party) org.springframework.spring-webflux 5.3.12
(3rd Party) org.springframework.spring-webmvc 5.3.22 5.3.22
Critical: Found Vulnerable Jackson Databind dependency (<2.12.6.1 || >=2.13.0 <2.13.2.1)
├─ _Root_
│  └─ org.opengroup.osdu.os-schema-gcp == 0.17.0-SNAPSHOT
│     └─ org.opengroup.osdu.os-schema-core == 0.17.0-SNAPSHOT
│        └─ com.fasterxml.jackson.core.jackson-databind == 2.11.4
└─ testing/
└─ org.opengroup.osdu.schema-test-azure == 0.17.0-SNAPSHOT
└─ org.opengroup.osdu.os-schema-core == 0.16.0-SNAPSHOT
└─ com.fasterxml.jackson.core.jackson-databind == 2.11.3
Critical: Found Vulnerable Spring WebFlux dependency (<5.2.20 || >=5.3.0 <5.3.18)
└─ _Root_
└─ org.opengroup.osdu.os-schema-azure == 0.17.0-SNAPSHOT
└─ com.azure.spring.azure-spring-boot-starter-active-directory == 3.4.0
└─ org.springframework.boot.spring-boot-starter-webflux == 2.4.12
└─ org.springframework.spring-webflux == 5.3.12

Merge request reports