Bump beam to 2.61, pin beam dependencies, reduce dependabot noise #925
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #925 +/- ##
=========================================
Coverage 91.65% 91.65%
Complexity 252 252
=========================================
Files 26 26
Lines 947 947
Branches 71 71
=========================================
Hits 868 868
Misses 52 52
Partials 27 27 |
There was a problem hiding this comment.
Reducing dependabot noise looks good.
Still, can you expand on why are dependencies being downgraded? Or why syncing with with older versions Beam release?
In my experience Beam does not keep dependencies up to date very well, sometimes carrying vulnerabilities. The up to date versions here have been "more compatible" with maven enforcer, and had no runtime issues (mostly minor bumps, no breaking changes).
pom.xml
Outdated
| <!-- https://github.com/apache/beam/blob/release-2.60.0/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy#L586 --> | ||
| <beam.version>2.60.0</beam.version> |
There was a problem hiding this comment.
| <!-- https://github.com/apache/beam/blob/release-2.60.0/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy#L586 --> | |
| <beam.version>2.60.0</beam.version> | |
| <!-- https://github.com/apache/beam/blob/release-2.61.0/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy#L586 --> | |
| <beam.version>2.61.0</beam.version> |
There was a problem hiding this comment.
beam 2.61.0 artifact has been promoted yesterday. When updating to 2.61, we'll make sure all deps are in sync
| <hamcrest.version>2.1</hamcrest.version> | ||
| <httpclient.version>4.5.13</httpclient.version> | ||
| <httpcore.version>4.4.14</httpcore.version> | ||
| <jackson.version>2.15.4</jackson.version> |
There was a problem hiding this comment.
| <jackson.version>2.15.4</jackson.version> | |
| <jackson.version>2.17.3</jackson.version> |
Keep up to date?
There was a problem hiding this comment.
I'd rather keep beam's version to not mix with jackson modules. If we upgrade, we should use jackson BOM instead.
| <!-- https://storage.googleapis.com/cloud-opensource-java-dashboard/com.google.cloud/libraries-bom/26.45.0/index.html --> | ||
| <google-cloud-libraries-bom.version>26.45.0</google-cloud-libraries-bom.version> |
There was a problem hiding this comment.
| <!-- https://storage.googleapis.com/cloud-opensource-java-dashboard/com.google.cloud/libraries-bom/26.45.0/index.html --> | |
| <google-cloud-libraries-bom.version>26.45.0</google-cloud-libraries-bom.version> | |
| <!-- https://storage.googleapis.com/cloud-opensource-java-dashboard/com.google.cloud/libraries-bom/26.50.0/index.html --> | |
| <google-cloud-libraries-bom.version>26.50.0</google-cloud-libraries-bom.version> |
There was a problem hiding this comment.
We're syncing with beam's version
| <commons-codec.version>1.17.1</commons-codec.version> <!-- libraries-bom version --> | ||
| <commons-compress.version>1.26.2</commons-compress.version> | ||
| <errorprone.version>2.10.0</errorprone.version> | ||
| <guava.version>33.1.0-jre</guava.version> |
There was a problem hiding this comment.
| <guava.version>33.1.0-jre</guava.version> | |
| <guava.version>33.3.1-jre</guava.version> |
| <netty.version>4.1.100.Final</netty.version> | ||
| <slf4j.version>1.7.30</slf4j.version> | ||
| <threetenbp.version>1.6.8</threetenbp.version> | ||
| <zstd-jni.version>1.5.6-3</zstd-jni.version> |
There was a problem hiding this comment.
| <zstd-jni.version>1.5.6-3</zstd-jni.version> | |
| <zstd-jni.version>1.5.6-8</zstd-jni.version> |
| @@ -554,6 +543,32 @@ | |||
| <!-- Keep aligned with prerequisite section below. --> | |||
| <version>[3.3.9,)</version> | |||
| </requireMavenVersion> | |||
| <requireUpperBoundDeps> | |||
| <excludes> | |||
| <!-- managed by beam BOM --> | |||
There was a problem hiding this comment.
Why?
AFAIU maven enforcer helps to keep dependency compatibilities. With these many exclusions wouldn't the risk of post release runtime errors increase?
There was a problem hiding this comment.
This is the strategy we used with scio. We upgrade those libs along with beam
| @@ -12,15 +12,34 @@ updates: | |||
| - dependency-name: com.fasterxml.jackson.core:jackson-annotations | |||
| - dependency-name: com.fasterxml.jackson.core:jackson-core | |||
| - dependency-name: com.fasterxml.jackson.core:jackson-databind | |||
| - dependency-name: com.fasterxml.jackson:jackson-bom | |||
| - dependency-name: com.github.luben:zstd-jni | |||
There was a problem hiding this comment.
| - dependency-name: com.github.luben:zstd-jni |
I think we can keep zstd updates, as they are decoupled with Beam.
There was a problem hiding this comment.
zstd-jni is not following classic semver. the postfix -3 causes sometimes conflict with dependency resolvers. We prefer to stick with on the common version with beam
| <httpcore.version>4.4.14</httpcore.version> | ||
| <jackson.version>2.15.4</jackson.version> | ||
| <joda-time.version>2.10.14</joda-time.version> | ||
| <netty.version>4.1.100.Final</netty.version> |
There was a problem hiding this comment.
| <netty.version>4.1.100.Final</netty.version> | |
| <netty.version>4.1.115.Final</netty.version> |
RustedBones
changed the title
| @@ -12,15 +12,34 @@ updates: | |||
| - dependency-name: com.fasterxml.jackson.core:jackson-annotations | |||
| - dependency-name: com.fasterxml.jackson.core:jackson-core | |||
| - dependency-name: com.fasterxml.jackson.core:jackson-databind | |||
| - dependency-name: com.fasterxml.jackson:jackson-bom | |||
| - dependency-name: com.github.luben:zstd-jni | |||
There was a problem hiding this comment.
zstd-jni is not following classic semver. the postfix -3 causes sometimes conflict with dependency resolvers. We prefer to stick with on the common version with beam
| <hamcrest.version>2.1</hamcrest.version> | ||
| <httpclient.version>4.5.13</httpclient.version> | ||
| <httpcore.version>4.4.14</httpcore.version> | ||
| <jackson.version>2.15.4</jackson.version> |
There was a problem hiding this comment.
I'd rather keep beam's version to not mix with jackson modules. If we upgrade, we should use jackson BOM instead.
| <httpcore.version>4.4.14</httpcore.version> | ||
| <jackson.version>2.15.4</jackson.version> | ||
| <joda-time.version>2.10.14</joda-time.version> | ||
| <netty.version>4.1.100.Final</netty.version> |
| <netty.version>4.1.100.Final</netty.version> | ||
| <slf4j.version>1.7.30</slf4j.version> | ||
| <threetenbp.version>1.6.8</threetenbp.version> | ||
| <zstd-jni.version>1.5.6-3</zstd-jni.version> |
| <!-- https://storage.googleapis.com/cloud-opensource-java-dashboard/com.google.cloud/libraries-bom/26.45.0/index.html --> | ||
| <google-cloud-libraries-bom.version>26.45.0</google-cloud-libraries-bom.version> |
There was a problem hiding this comment.
We're syncing with beam's version
| @@ -554,6 +543,32 @@ | |||
| <!-- Keep aligned with prerequisite section below. --> | |||
| <version>[3.3.9,)</version> | |||
| </requireMavenVersion> | |||
| <requireUpperBoundDeps> | |||
| <excludes> | |||
| <!-- managed by beam BOM --> | |||
There was a problem hiding this comment.
This is the strategy we used with scio. We upgrade those libs along with beam
Note that this involves downgrading some libraries to be in sync with the beam release