Skip to content

Omnibus dependency update #515

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
absurdfarce wants to merge 8 commits into
base: 1.x
Choose a base branch
from
Open

Omnibus dependency update #515

absurdfarce wants to merge 8 commits into from

Conversation

@absurdfarce
Copy link
Collaborator

@absurdfarce absurdfarce commented Dec 12, 2025
edited
Loading

Full set of dependency updates for 1.11.1

After analysis of reported CVEs this resolves down to the following:

This was linked to issues Dec 12, 2025
Vulnerabilities on DSBulk 1.11.0 #499
Open
Vulnerabilities detected against dsbulk 1.11.0 #497
Open
Further vulnerabilities reported against dsbulk 1.11.0 #504
Open
Upgrade Java driver to (at least) 4.19.0 #506
Open
@absurdfarce absurdfarce mentioned this pull request Dec 12, 2025
Closed
absurdfarce
absurdfarce commented Dec 12, 2025
View reviewed changes
pom.xml
<slf4j.version>1.7.36</slf4j.version>
<logback.version>1.2.11</logback.version>
<slf4j.version>2.0.16</slf4j.version>
<logback.version>1.3.15</logback.version>
Copy link
Collaborator Author

@absurdfarce absurdfarce Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These versions are what the Java driver will be moving to in 4.19.3... see this PR for more detail

absurdfarce
absurdfarce commented Dec 12, 2025
View reviewed changes
pom.xml
<commons-exec.version>1.3</commons-exec.version>
<surefire.version>2.22.2</surefire.version>
<jcip.version>1.0-1</jcip.version>
<spotbugs.version>4.5.3</spotbugs.version>
Copy link
Collaborator Author

@absurdfarce absurdfarce Dec 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These dependencies used to come along with the Java driver but were removed when the driver moved from DataStax to the Apache Software Foundation. The versions specified here were the versions used with the last DataStax-supported Java driver release.

absurdfarce
absurdfarce commented Dec 12, 2025
View reviewed changes
...s/text/src/test/java/com/datastax/oss/dsbulk/codecs/text/json/JsonNodeToVectorCodecTest.java

assertThat(dsbulkCodec.encode(tooManyNode, ProtocolVersion.DEFAULT)).isNotNull();
assertThatThrownBy(() -> dsbulkCodec.encode(tooManyNode, ProtocolVersion.DEFAULT))
.isInstanceOf(IllegalArgumentException.class);
Copy link
Collaborator Author

@absurdfarce absurdfarce Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change (and the equivalent change for the string-to-vector codec below) match up to a change that came in subsequent versions of the Java driver after initial vector support was added. A decision was made to provide uniform bounds checking for vectors across all drivers such that any number of elements other than those specified by the vectors dimension will throw an IllegalArgumentException. JAVA-3143 is the relevant ticket here.

absurdfarce
absurdfarce commented Dec 12, 2025
View reviewed changes
pom.xml
<reactor.version>2020.0.19</reactor.version>
<config.version>1.4.2</config.version>
<netty.version>4.1.94.Final</netty.version>
<netty.version>4.1.119.Final</netty.version>
Copy link
Collaborator Author

@absurdfarce absurdfarce Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Netty version specified here matches up to what's in Java driver version 4.19.2.

@absurdfarce
Copy link
Collaborator Author

absurdfarce commented Dec 16, 2025

Jenkins appears to be under the weather so I ran the integration tests locally. Stock ITs pass without issue, medium ITs mostly pass with one exception... but I'm pretty sure that exception is an infrastructure issue (it's reported as #517).

@absurdfarce
Copy link
Collaborator Author

absurdfarce commented Dec 16, 2025

Ping @adutra for review on this one as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@msmygit msmygit msmygit approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

3 participants

@absurdfarce @msmygit