kubernetes-client icon indicating copy to clipboard operation
kubernetes-client copied to clipboard

Published 20 hours ago verified publisher icon fabric8io

chore(deps): bump org.apache.commons:commons-compress from 1.25.0 to 1.26.0

Open dependabot[bot] opened this issue 1 year ago • 14 comments

Bumps org.apache.commons:commons-compress from 1.25.0 to 1.26.0.

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependabot[bot] avatar Feb 19 '24 11:02 dependabot[bot] 

Error:  Errors: 
Error:    UploadTest$Success$Directory.createsTempDirectoryAndPipesDirInServer:346 » KubernetesClient TarArchiveOutputStream is provided by commons-compress, an optional dependency. To use this functionality you must explicitly add this dependency to the classpath.
Error:    UploadTest$Success$Directory.extractsTar:378 » KubernetesClient TarArchiveOutputStream is provided by commons-compress, an optional dependency. To use this functionality you must explicitly add this dependency to the classpath.
Error:    UploadTest$Success$Directory.uploadReturnsTrue:336 » KubernetesClient TarArchiveOutputStream is provided by commons-compress, an optional dependency. To use this functionality you must explicitly add this dependency to the classpath.
Error:    UploadTest$Success$Directory.verifiesUploadedTarSize:362 » KubernetesClient TarArchiveOutputStream is provided by commons-compress, an optional dependency. To use this functionality you must explicitly add this dependency to the classpath.
Error:    UploadTest$Success$SingleFile$TarCompression.bigNumbersSupported:306 » KubernetesClient TarArchiveOutputStream is provided by commons-compress, an optional dependency. To use this functionality you must explicitly add this dependency to the classpath.
Error:    UploadTest$Success$SingleFile$TarCompression.longFileNamesSupported:288 » KubernetesClient TarArchiveOutputStream is provided by commons-compress, an optional dependency. To use this functionality you must explicitly add this dependency to the classpath.
Error:    UploadTest$Success$SingleFile$TarCompression.validTarArchive:268 » KubernetesClient TarArchiveOutputStream is provided by commons-compress, an optional dependency. To use this functionality you must explicitly add this dependency to the classpath.
Error:    UploadTest$Success$SingleFile.createsTempDirectoryAndPipesFileInServer:208 » KubernetesClient TarArchiveOutputStream is provided by commons-compress, an optional dependency. To use this functionality you must explicitly add this dependency to the classpath.
Error:    UploadTest$Success$SingleFile.extractsTar:240 » KubernetesClient TarArchiveOutputStream is provided by commons-compress, an optional dependency. To use this functionality you must explicitly add this dependency to the classpath.
Error:    UploadTest$Success$SingleFile.uploadReturnsTrue:198 » KubernetesClient TarArchiveOutputStream is provided by commons-compress, an optional dependency. To use this functionality you must explicitly add this dependency to the classpath.
Error:    UploadTest$Success$SingleFile.verifiesUploadedTarSize:224 » KubernetesClient TarArchiveOutputStream is provided by commons-compress, an optional dependency. To use this functionality you must explicitly add this dependency to the classpath.
Error:    UploadTest.uploadFailureDeletesTemp:130 » KubernetesClient TarArchiveOutputStream is provided by commons-compress, an optional dependency. To use this functionality you must explicitly add this dependency to the classpath.
[INFO] 
Error:  Tests run: 240, Failures: 0, Errors: 12, Skipped: 0

rohanKanojia avatar Feb 19 '24 13:02 rohanKanojia

This is important for CVE reasons

oscerd avatar Feb 22 '24 11:02 oscerd

This is important for CVE reasons

Yes, we have on our Sprint planning as priority.

Anyway, the dependency is provided, users are responsible to update whatever commons-compress their project is using. We need to figure out why tests are failing though.

manusa avatar Feb 22 '24 12:02 manusa

Seems like it's the change that's causing the issue: https://github.com/apache/commons-compress/commit/7d4beb1940af7756ab184eac94bbaf14287e1779

metacosm avatar Feb 26 '24 17:02 metacosm

One thing that is fishy is that the error concerns a class that is not used in TarArchiveOutputStream anymore (the class that's used is supposed to be org.apache.commons.io.Charsets (provided by commons-io, which is not included as a dependency for the module, so I guess that's the issue here), not org.apache.commons.codec.Charsets) so I'm not sure why it's looking for that last class…

For that matter, there is also a Charsets class in org.apache.commons.compress.utils

metacosm avatar Feb 26 '24 18:02 metacosm

Actually, 1.26 is using the commons-codec version of Charsets 🤦🏼 but that was changed in https://github.com/apache/commons-compress/commit/2d1b94ff3f3d8c6c5bb25b5be0d4c8e0fdd73a4b

metacosm avatar Feb 26 '24 20:02 metacosm

Seems like adding the commons-codec optional dependency also addresses the native compilation issues.

metacosm avatar Feb 26 '24 21:02 metacosm

Seems like it's the change that's causing the issue: https://github.com/apache/commons-compress/commit/7d4beb1940af7756ab184eac94bbaf14287e1779

On its own, this doesn't seem to be a problem, all changes seem to be internal.

Seems like adding the commons-codec optional dependency also addresses the native compilation issues.

OK, this is what makes sense now. commons-codec is now mandatory too when using commons-compress. Why didn't they make it transitive though? :shrug:

I'll try to fix this in this PR.

This is a shame because we already did an effort some time ago to remove the commons-codec dependency (#3672 / #3682)

Related:

  • https://issues.apache.org/jira/browse/COMPRESS-659 (TarArchiveOutputStream issue, which affects us)
  • https://issues.apache.org/jira/browse/COMPRESS-660
  • https://github.com/apache/commons-compress/blob/09a271dfd73e3ce01815f3f65057f92b5b7009bb/pom.xml#L134

manusa avatar Feb 27 '24 06:02 manusa

As discussed in https://issues.apache.org/jira/browse/COMPRESS-659 a fix was already provided and a commons-compress 1.26.1 will be released soon. We should probably wait for this release instead of merging the current fix.

manusa avatar Feb 27 '24 06:02 manusa

Quality Gate Passed Quality Gate passed

Issues
0 New issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

sonarqubecloud[bot] avatar Feb 27 '24 07:02 sonarqubecloud[bot]

The change made in https://issues.apache.org/jira/browse/COMPRESS-659 will make commons-compress dependent on commons-io, though, so we might need some equivalent fix here as well to add a commons-io dependency.

metacosm avatar Feb 27 '24 09:02 metacosm

commons-io is transitive to commons-compress, there shouldn't be a problem :crossed_fingers:

manusa avatar Feb 27 '24 10:02 manusa

I've built 1.26.1-SNAPSHOT locally and confirmed that simply upgrading to it without other changes seems to address the native compilation issue I was seeing.

metacosm avatar Feb 27 '24 11:02 metacosm

I've built 1.26.1-SNAPSHOT locally and confirmed that simply upgrading to it without other changes seems to address the native compilation issue I was seeing.

Let's wait for it then

manusa avatar Feb 28 '24 05:02 manusa

A newer version of org.apache.commons:commons-compress exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

dependabot[bot] avatar Mar 11 '24 11:03 dependabot[bot]

A newer version of org.apache.commons:commons-compress exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

Closing in favor of the newer version which should be addressed by https://issues.apache.org/jira/browse/COMPRESS-659

manusa avatar Mar 11 '24 12:03 manusa

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

dependabot[bot] avatar Mar 11 '24 12:03 dependabot[bot]