Skip to content

Update dependencies #1401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
labkey-adam merged 2 commits into from
Jun 2, 2026
Merged

Update dependencies #1401

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3fbbc34
Update dependencies
labkey-adam Jun 2, 2026
719671a
Correct some comments. Remove xalan, batik, and fop forces - not needed.
labkey-adam Jun 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 10 additions & 16 deletions build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,9 +224,9 @@ allprojects {
// brought in by SequenceAnalysis, jbrowse
force "org.apache.logging.log4j:log4j-slf4j-impl:${log4j2Version}"
force "org.apache.commons:commons-vfs2:${commonsVfs2Version}"
// force version for consistency with saml, query, LDK, and pipeline
// force version for consistency with query, LDK, and pipeline
force "commons-lang:commons-lang:${commonsLangVersion}"
// force version for consistency with workflow, api, SequenceAnalysis
// force version for consistency with api, SequenceAnalysis
force "org.apache.commons:commons-lang3:${commonsLang3Version}"
force "commons-dbcp:commons-dbcp:${commonsDbcpVersion}"
force "commons-io:commons-io:${commonsIoVersion}"
Expand All @@ -236,9 +236,9 @@ allprojects {
force "org.apache.commons:commons-text:${commonsTextVersion}"
// force version for consistency with search, premium, api
force "org.apache.commons:commons-collections4:${commonsCollections4Version}"
// force version for consistency with query, saml, LDK, api
// force version for consistency with LDK, api
force "commons-collections:commons-collections:${commonsCollectionsVersion}"
// force version for ms2, saml, fileTransfer, harvest, api, accounts, docker
// force version for ms2, fileTransfer, harvest, api, accounts, docker
force "commons-codec:commons-codec:${commonsCodecVersion}"
// force version consistency in TCRdb, SequenceAnalysis, API
force "org.apache.commons:commons-math3:${commonsMath3Version}"
Expand All @@ -249,7 +249,7 @@ allprojects {
// force version for cloud, docker, fileTransfer, googledrive, tcrb, wnprc_ehr
force "org.apache.httpcomponents:httpclient:${httpclientVersion}"
force "org.apache.httpcomponents.client5:httpclient5:${httpclient5Version}"
// force version for postgresql jdbc, cloud, docker, fileTransfer, saml, query, GoogleDrive, WNPRC_EHR
// force version for postgresql jdbc, cloud, docker, fileTransfer, GoogleDrive, WNPRC_EHR
force "org.checkerframework:checker-qual:${checkerQualVersion}"
// force version for SequenceAnalysis, api, cloud
force "com.google.guava:guava:${guavaVersion}"
Expand All @@ -266,17 +266,15 @@ allprojects {
force "jakarta.xml.bind:jakarta.xml.bind-api:${jaxbApiVersion}"
// force version for accounts, api, query
force "javax.validation:validation-api:${validationApiVersion}"
// force version for accounts, docker, api, workflow
// force version for accounts, docker, api
force "com.fasterxml.jackson.core:jackson-annotations:${jacksonAnnotationsVersion}"
// saml and query bring in different versions transitively; we force the later one
force "xalan:xalan:${xalanVersion}"
// genotyping brings in a much older version of this, so we force a newer version for compatibility
force "org.apache.commons:commons-compress:${commonsCompressVersion}"
// Force ant to be a newer version (transitive dependency of query > eigenbase-resgen > eigenbase-xom)
force "org.apache.ant:ant:${antVersion}"
// Transitive dependency of commons-compress -- Transitive dependency com.github.samtools:htsjdk which references an older version
force "org.tukaani:xz:${tukaaniXZVersion}"
// force version for api, LDK, pipeline, query, saml, but not for the xsdDoc configuration, which requires
// force version for api and LDK, but not for the xsdDoc configuration, which requires
// an older version for the docflex library we use
if (!config.name.equals('xsdDoc'))
force "xml-apis:xml-apis:${xmlApisVersion}"
Expand Down Expand Up @@ -350,9 +348,6 @@ allprojects {
force "org.apache.tika:tika-core:${tikaVersion}"
// OpenLDAPSync and premium have transitive dependency on a broken version of MINA
force "org.apache.mina:mina-core:${apacheMinaVersion}"
// saml has transitive dependencies on old versions of batik and xmlgraphics-commons, which conflict with more recent versions in api
force "org.apache.xmlgraphics:batik-css:${batikVersion}"
force "org.apache.xmlgraphics:xmlgraphics-commons:${fopVersion}"
// force consistency in TCRdb, WNPRC
force "org.javassist:javassist:${javassistVersion}"
force "org.jetbrains:annotations:${annotationsVersion}"
Expand All @@ -365,12 +360,11 @@ allprojects {
// The hamcrest dependencies come through transitively from jackson, junit, jmock
force "org.hamcrest:hamcrest:${hamcrestVersion}"
force "junit:junit:${junitVersion}"
// force consistency in nlp and saml that bring these in transitively
// SAML brings these in transitively
force "org.codehaus.woodstox:stax2-api:${stax2ApiVersion}"
force "com.fasterxml.woodstox:woodstox-core:${woodstoxCoreVersion}"
// force consistency in docker and connectors, saml, nlp
// force consistency in docker, connectors, and saml
force "org.bouncycastle:bcprov-jdk18on:${bouncycastleVersion}"
// force consistency in docker and connectors and saml
force "org.bouncycastle:bcpkix-jdk18on:${bouncycastleVersion}"

// Force consistency for dependencies from pipeline and query
Expand All @@ -387,7 +381,7 @@ allprojects {
// Force snappy-java version for CVE-2023-43642. Remove once HTSJDK bumps its preferred version.
force "org.xerial.snappy:snappy-java:${snappyJavaVersion}"

// Consistency between cloud, pipeline, and query
// Consistency between cloud, pipeline
force "javax.xml.bind:jaxb-api:${jaxbApiOldVersion}"

// Force consistency for dependencies from cloud
Expand Down
37 changes: 17 additions & 20 deletions gradle.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ apacheTomcatVersion=11.0.22
# (mothership) -> json-path -> json-smart -> accessor-smart
# (core) -> graalvm
# tika
asmVersion=9.9.1
asmVersion=9.10

awsSdkVersion=2.29.50

Expand Down Expand Up @@ -194,15 +194,15 @@ httpcoreVersion=4.4.16
intellijKotlinVersion=2.3.10

# Update the three Jackson dependency versions below in tandem, unless one gets a patch release out-of-sync with the others
jacksonVersion=2.21.3
jacksonDatabindVersion=2.21.3
jacksonJaxrsBaseVersion=2.21.3
jacksonVersion=2.21.4
jacksonDatabindVersion=2.21.4
jacksonJaxrsBaseVersion=2.21.4

# Note the inconsistent version numbering for "annotations"... it no longer matches the above
jacksonAnnotationsVersion=2.21

# Spring Boot brings in a transitive dependency on Jackson 3.x. It has changed package names and can coexist with Jackson 2.x.
jackson3Version=3.1.3
jackson3Version=3.1.4

# The Jakarta Activation API version that Angus Activation implements. Keep in sync with angusActivationVersion (above).
jakartaActivationApiVersion=2.1.4
Expand All @@ -219,7 +219,7 @@ jaxbOldVersion=2.3.3

# All other direct and indirect uses of JAXB use the current, jakarta-packaged versions
jaxbApiVersion=4.0.5
jaxbVersion=4.0.7
jaxbVersion=4.0.8

jaxrpcVersion=1.1

Expand All @@ -233,12 +233,12 @@ jmockVersion=2.6.0
# Transitive dependency via azure-identity and docker; force for consistency
jnaVersion=5.18.1

jodaTimeVersion=2.14.1
jodaTimeVersion=2.14.2

# brought in transitively by Cloud, FileTransfer, SequenceAnalysis, etc. Need to resolve consistently
jsr305Version=3.0.2

orgJsonVersion=20251224
orgJsonVersion=20260522

jsoupVersion=1.22.2

Expand All @@ -255,12 +255,12 @@ lombokVersion=1.18.46
luceneVersion=10.4.0

# Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API
microsoftGraphVersion=6.59.0
microsoftGraphVersion=6.65.0

mssqlJdbcVersion=13.4.0.jre11

# Netty - transitive dependency via azure-core-http-netty; force for CVE-2026-33871, CVE-2026-33870
nettyVersion=4.2.13.Final
nettyVersion=4.2.14.Final
# Reactor - transitive dependency via azure-core; force for version consistency across modules
reactorCoreVersion=3.8.1

Expand Down Expand Up @@ -293,9 +293,9 @@ romeVersion=2.1.0
servletApiVersion=6.1.0

# this version is forced for compatibility with pipeline and tika
slf4jLog4j12Version=2.0.17
slf4jLog4j12Version=2.0.18
# this version is forced for compatibility with api, LDK, and workflow
slf4jLog4jApiVersion=2.0.17
slf4jLog4jApiVersion=2.0.18

# This is a dependency for HTSJDK. Force version for CVE-2023-43642
snappyJavaVersion=1.1.10.8
Expand All @@ -306,26 +306,23 @@ springBootVersion=4.0.6
springVersion=7.0.7
springAiVersion=2.0.0-M6

sqliteJdbcVersion=3.53.0.0
sqliteJdbcVersion=3.53.1.0

# NLP and SAML bring stax2-api in as a transitive dependency but with very different versions. We force the later version.
# SAML brings stax2-api in as a transitive dependency. We force the latest version.
stax2ApiVersion=4.2.2

thumbnailatorVersion=0.4.21

# used for tika-core in API and tika-parsers in search
tikaVersion=3.3.0
tikaVersion=3.3.1

# sync with Tika
tukaaniXZVersion=1.12

validationApiVersion=1.1.0.Final

# NLP and SAML bring woodstox-core in as a transitive dependency but with very different versions. We force the later version.
woodstoxCoreVersion=7.1.1

# saml and query bring in different versions transitively; we force the later one
xalanVersion=2.7.2
# SAML brings woodstox-core in as a transitive dependency. We force the latest version.
woodstoxCoreVersion=7.2.0

# sync with Tika
xercesImplVersion=2.12.2
Expand Down