docusign-esign-java-client icon indicating copy to clipboard operation
docusign-esign-java-client copied to clipboard
verified publisher icon docusign

Third-party dependencies upgrade

Open mariuszpala opened this issue 1 year ago • 3 comments

Is there any chance to upgrade third party dependencies to the latest versions and also add them as proper dependencies in pom?

mariuszpala avatar Mar 28 '25 13:03 mariuszpala

I second this, especially jersey library that causes OOM issue.

oleksii-kondratiuk avatar Mar 28 '25 15:03 oleksii-kondratiuk

+1 here

thelollipopka avatar Jun 04 '25 20:06 thelollipopka

I definitely would recomment to clean up the project a litte, in particular the POM file which has obvious issues (for instance, the brsanthu migbase dependency is completely unused now and replaced with Java 8's Base64 decoder which is good, but it still is declared even twice with the same scope in the POM), some of the plugins used are ancient, and namely the Jackson imports are mixed which never is a good idea (three of the transient artifacts are from version 2.14.2 while the others are from 2.17.0, both releases are outdated). Note that Jersey 3 and Jakarta JAX-RS have a Java 11 baseline requirement which should be mentioned somewhere, Java 9 is not sufficient. I will refrain from listing other issues here, as you can simply copy the POM to ChatGPT and let it analyze it for you.

Note that the dependency issues also affect shading. I would reconsider the shading solution in general, as there is no relocation in place, so in effect class path issues are imminent with the Fat Jar approach, namely as Jackson for example is widely used elsewhere.

Cleaning up the thing takes less than half a day and would make the project look way more professional and usable. Drop the obviously unmaintained Gradle files and the NetBeans stuff too, possibly, and port the test class to JUnit 5 which is trivial in this case. You can either use IntelliJ's migration assistant or simply use ChatGPT for this, it's only a huge single file.

Then, please absolutely reconsider the decision to release the jar file without specifying any of its required dependencies and let the developer do the analysis instead. This is namely important because the Jackson version issues are not obvious even when looking at the POM, not to mention the README list. This is the only project I know of that does so and it's really odd and cumbersome. Instead, the released POM still contains all the unnecessary build and plugin data, but leaves out what's additionally required to actually use it. In effect, that's about directly against what Maven was intended for. On a side note, the Maven flatten plugin can be of great help to produce stable release POMs without all the overhead and it's dead easy to use (this will be an upcoming feature of Maven 4 btw.)

Finally, please take all this as kind recommendations, I'm glad this project exists at all, but it just could be made much better and more usable with just a little effort on your side :-)

cbollmeyer avatar Aug 21 '25 08:08 cbollmeyer