-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump parameterized-trigger from 2.39 to 2.43.1 #1369
Bump parameterized-trigger from 2.39 to 2.43.1 #1369
Conversation
Bumps [parameterized-trigger](https://github.com/jenkinsci/parameterized-trigger-plugin) from 2.39 to 2.43.1. - [Release notes](https://github.com/jenkinsci/parameterized-trigger-plugin/releases) - [Changelog](https://github.com/jenkinsci/parameterized-trigger-plugin/blob/master/CHANGELOG.md) - [Commits](jenkinsci/parameterized-trigger-plugin@parameterized-trigger-2.39...parameterized-trigger-2.43.1) --- updated-dependencies: - dependency-name: org.jenkins-ci.plugins:parameterized-trigger dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dependabot merge
I generally prefer to not upgrade the version of an optional dependency, but 2.43.1 is a fix for a security vulnerability and it has been available to users for 6 months or more. A reasonable requirement that if the user is running parameterized trigger plugin, it needs to be at least 2.43.1.
Was released a year ago and is required as a minimum version for parameterized trigger plugin
Notes from Basil Crow: Can be reproduced in git-plugin by running ``` $ mvn -Denforcer.skip=true \ -Dhpi-plugin.version=3.37 -Djenkins.version=2.381 \ -Djth.jenkins-war.path=~/src/jenkinsci/bom/target/local-test/megawar.war \ -DoverrideWar=~/src/jenkinsci/bom/target/local-test/megawar.war \ -DoverrideWarAdditions=true -Dtest=InjectedTest \ -DupperBoundsExcludes=javax.servlet:servlet-api -DuseUpperBounds=true \ clean verify ``` after running ``` $ PLUGINS=git TEST=InjectedTest bash local-test.sh ``` in bom to build the megawar. Bisection shows the trouble started occurring at jenkinsci#1369 which updated parameterized-trigger from 2.39 to 2.43.1, which in turn updated conditional-buildstep from 1.3.1 to 1.4.1, which in turn put maven-plugin on the compile classpath. Turns out that declaring maven-plugin as non-optional was a bug in conditional-buildstep 1.4.1, fixed in 1.4.2 with jenkinsci/conditional-buildstep-plugin#27. Verified that the problem can be successfully worked around in git-plugin by downgrading parameterized-trigger back to 2.39 (which also downgrades conditional-buildstep down to 1.3.1) or upgrading conditional-buildstep to 1.4.2 with diff --git a/pom.xml b/pom.xml index 3753e57c..e187d4f4 100644 --- a/pom.xml +++ b/pom.xml @@ -79,6 +79,11 @@ <type>pom</type> <scope>import</scope> </dependency> + <dependency> + <groupId>org.jenkins-ci.plugins</groupId> + <artifactId>conditional-buildstep</artifactId> + <version>1.4.2</version> + </dependency> </dependencies> </dependencyManagement> But a better solution would be to upgrade conditional-buildstep to 1.4.2 in parameterized-trigger; i.e., releasing jenkinsci/parameterized-trigger-plugin#252 and then upgrading to that release in the Git plugin.
Notes from Basil Crow: Can be reproduced in git-plugin by running ``` $ mvn -Denforcer.skip=true \ -Dhpi-plugin.version=3.37 -Djenkins.version=2.381 \ -Djth.jenkins-war.path=~/src/jenkinsci/bom/target/local-test/megawar.war \ -DoverrideWar=~/src/jenkinsci/bom/target/local-test/megawar.war \ -DoverrideWarAdditions=true -Dtest=InjectedTest \ -DupperBoundsExcludes=javax.servlet:servlet-api -DuseUpperBounds=true \ clean verify ``` after running ``` $ PLUGINS=git TEST=InjectedTest bash local-test.sh ``` in bom to build the megawar. Bisection shows the trouble started occurring at #1369 which updated parameterized-trigger from 2.39 to 2.43.1, which in turn updated conditional-buildstep from 1.3.1 to 1.4.1, which in turn put maven-plugin on the compile classpath. Turns out that declaring maven-plugin as non-optional was a bug in conditional-buildstep 1.4.1, fixed in 1.4.2 with jenkinsci/conditional-buildstep-plugin#27. Verified that the problem can be successfully worked around in git-plugin by downgrading parameterized-trigger back to 2.39 (which also downgrades conditional-buildstep down to 1.3.1) or upgrading conditional-buildstep to 1.4.2 with diff --git a/pom.xml b/pom.xml index 3753e57c..e187d4f4 100644 --- a/pom.xml +++ b/pom.xml @@ -79,6 +79,11 @@ <type>pom</type> <scope>import</scope> </dependency> + <dependency> + <groupId>org.jenkins-ci.plugins</groupId> + <artifactId>conditional-buildstep</artifactId> + <version>1.4.2</version> + </dependency> </dependencies> </dependencyManagement> But a better solution would be to upgrade conditional-buildstep to 1.4.2 in parameterized-trigger; i.e., releasing jenkinsci/parameterized-trigger-plugin#252 and then upgrading to that release in the Git plugin.
Bumps parameterized-trigger from 2.39 to 2.43.1.
Release notes
Sourced from parameterized-trigger's releases.
... (truncated)
Commits
ae0ac1a
[maven-release-plugin] prepare release parameterized-trigger-2.43.16b7cd22
[SECURITY-2185]ae7eb39
Prepare 2.43.x stable branch38a7ff8
[maven-release-plugin] prepare for next development iteration4aa22d7
[maven-release-plugin] prepare release parameterized-trigger-2.4356514a1
Bump actions/setup-java from 2.3.1 to 2.4.0 (#228)b2efcca
Bump actions/cache from 2.1.6 to 2.1.7 (#227)9d95a99
Bump promoted-builds from 3.10 to 3.11eabedca
style: Prepare for PNG icon removal from core (#230)5c1ff14
[maven-release-plugin] prepare for next development iterationDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot will merge this PR once CI passes on it, as requested by @MarkEWaite.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.