I think that it would be easier to maintain the workflow test dependencies inside the git plugin by using the new BOM that Jesse has created.
As a test, I tried to use the BOM with the git client plugin. That change allowed me to remove the explicit version numbers from 4 dependencies. That is a nice very nice improvement for a plugin that has relatively few dependencies. However, when I look at the dependencies which are assigned by the 2.138.1 version of the BOM, it assigns - ssh-credentials 1.17.1 - credentials 2.2.0 I've generally preferred to keep the dependency at oldest version I can reasonably trust. In this case, the BOM is choosing the second most recent release of the credentials plugin I believe in this case that the credentials plugin 2.2.0 is the required dependency from the BOM because it is the version which includes the most recent security fix for the credentials plugin. A different security advisory recommends that ssh-credentials should be newer than 1.13. Is there a specific reason that 1.17.1 was selected rather than 1.14? Am I correct to assume that it is safe, reasonable, and healthy for the git client plugin (and the git plugin) to use the BOM and accept that means they will generally have newer dependencies than they did in the past? Mark Waite -- Thanks! Mark Waite -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtEw%2BN%2BeaTHaOCmmo0-QpKrBrxM3zsa2wECQ02XRD9eQLw%40mail.gmail.com.
