[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies

Mon, 07 Nov 2022 12:37:06 -0800 


    [ 
https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17630019#comment-17630019
 ] 

Tim Allison commented on TIKA-2536:
-----------------------------------

Thank you!

It looks like we include this in our README, but do not explain that it fixes 
dependency convergence as well!

I just confirmed that it does fix dependency convergence.

{noformat}
  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.apache.tika</groupId>
        <artifactId>tika-bom</artifactId>
        <version>${tika.version></version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>
    </dependencies>
  </dependencyManagement>
{noformat}

> Move to later edu.ucar version to avoid EOL dependencies
> --------------------------------------------------------
>
>                 Key: TIKA-2536
>                 URL: https://issues.apache.org/jira/browse/TIKA-2536
>             Project: Tika
>          Issue Type: Improvement
>          Components: parser
>    Affects Versions: 1.16, 1.17
>         Environment: All
>            Reporter: Richard Jones
>            Priority: Major
>         Attachments: screenshot-1.png, screenshot-2.png
>
>
> The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm 
> (released in Mar 2015), as well as being branch EOL themselves, depend on 
> many other project/branch/version EOL artifacts for which much later and 
> active versions are often available. The list is as follows:
> - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions 
> of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted 
> on the Google Code site, which was shut down for active development in 2015.  
> The project was never migrated to another site, e.g. Github).
> - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2
> - edu.ucar:cdm depends on the 2.6.2 branch EOL version of 
> net.sf.ehcache:ehcache-core
> - edu.ucar:cdm depends on the 2.2.0 EOL version of 
> org.quartz-scheduler:quartz for which active versions are available. In turn 
> org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of 
> c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0
> - edu.ucar:grib depends on the 2.5.0 branch EOL version of 
> com.google.protobuf:protobuf-java for which active versions are available.
> Request moving to a much later version of edu.ucar, or alternative artifacts 
> to address all the above EOL issues (lack of active support for 
> vulnerabilities and bugs).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to