remove maven-archiver dependency from java client #2695
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: David Goss <[email protected]>
✅ Deploy Preview for peppy-sprite-186812 canceled.
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2695 +/- ##
=========================================
Coverage 84.08% 84.08%
Complexity 1379 1379
=========================================
Files 248 248
Lines 6295 6295
Branches 286 286
=========================================
Hits 5293 5293
Misses 849 849
Partials 153 153 ☔ View full report in Codecov by Sentry. |
wslulciuc
approved these changes
Dec 1, 2023
There was a problem hiding this comment.
The marquez-java lib. used to be in it's own repo and moved to a multi-module based repo a while back. I can't seem to find the exact commit (or PR) that introduced the maven-archiver lib. to the java client, so it's cool by me to remove 👍
yanlibert
pushed a commit
to libertyann/marquez
that referenced
this pull request
Dec 7, 2023
Signed-off-by: David Goss <[email protected]> Signed-off-by: yanlibert <[email protected]>
yanlibert
pushed a commit
to libertyann/marquez
that referenced
this pull request
Dec 8, 2023
Signed-off-by: David Goss <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
The Java client has a dependency on
maven-archiver, which can bring some transitive vulnerabilities.This is a build tool only though and shouldn't go through as a transitive dependency to consumers of the client. Further, I can't see why it's needed - the
apimodule doesn't have it, and if I remove it and do a build and publish to my local Maven repo, it works fine.Solution
Remove the dependency from
build.gradle.If I'm wrong and this is needed, we could look instead at adding the dependency to
publishingorbuildScriptto avoid consumers getting it unnecessarily.One-line summary:
remove maven-archiver dependency from java client
Checklist
CHANGELOG.md(Depending on the change, this may not be necessary)..sqldatabase schema migration according to Flyway's naming convention (if relevant)