vert-x3 / vertx-dependencies Goto Github PK
View Code? Open in Web Editor NEWDefines the versions of the Vert.x components of the Vert.x stack.
License: Apache License 2.0
Defines the versions of the Vert.x components of the Vert.x stack.
License: Apache License 2.0
the dependencyManagement of vertx-dependencies has a reference to vertx-mail and vertx-mongo however that is not built and released since 3.5.1 almost 3 years ago
<dependency>
<groupId>io.vertx</groupId>
<artifactId>vertx-mail</artifactId>
<version>4.0.0.CR1</version>
</dependency>
<dependency>
<groupId>io.vertx</groupId>
<artifactId>vertx-mongo</artifactId>
<version>4.0.0.CR1</version>
</dependency>
vertx-zookeeper was also in vertx-dependencies, but was not tagged and released for 4.0.0.CR1, if it has been dropped it should be removed from the here
<dependency>
<groupId>io.vertx</groupId>
<artifactId>vertx-zookeeper</artifactId>
<version>4.0.0.CR1</version>
</dependency>
Upgrade to Netty 4.1.48.Final and TC native 2.0.29.Final
Backport #87 to 4.2
Declare dependencies of the Vert.x stack we want to guarantee to be the same throughout the stack.
org.slf4j
groupIdorg.apache.logging.log4j
groupIdorg.yaml:snakeyaml
com.google.guava:guava
The vertx-lang-kotlin-coroutines dependency is missing; it should be added from version 3.5.0.
In order to make sure logging frameworks are not transitive dependencies of vert.x, we have forced log4j and others versions and scope in 1c6a087
This prevents users from simply adding log4j core or logback to their project dependencies in order to get logging to work (see forum or StackOverflow)
The workaround is to add the log4j bom before the vertx stack depchain in the user project. We do the same in the Vert.x starter:
I see with Black Duck analyzer that vertx jackson dependencies present lot of security defect. ( see : https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html )
I recommend to move to Jackson 2.10.x in order to solve this.
vertx-web-templ-rythm is built in vertx-web but has no dependency definition in vertx-dependencies master like all other web-templ
Upgrade to Netty 4.1.73.Final
Currently the BOM doesn't have the vertx-health-check dependency.
See: GHSA-57j2-w4cx-62h2
Although jackson-databind
isn't a dependency used by vert.x core modules, we should bump the version we use as it imports the official jackson bom which sets the default version for this dependency by projects that include it without locking the version.
Fixed by: 3e90e8d
It seems that jackson is updated to the 2.10.x line in the upcoming version 3.9.0 and they have released another patch version. It might be valuable to update to 2.10.3 before releasing 3.9.0
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10.3
Hi,
Please upgrade jackson-databind to version 2.9.4 or later (2.9.5).
Netty has released a couple of additional patch versions. It might be valuable to update to 4.1.48.Final before releasing 3.9.0
Hi,
Please upgrade jackson-databind to version 2.9.7.
Snyk: https://app.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449
CVEs: CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721
CWEs: CWE-502
edit: updated CVEs
Read this first before creating an issue:
Give the simplest and best explanation.
A list of use cases this feature will enable and the value it creates.
Who should implement this feature ? are you volunteering for implementing this feature or
do you know that is able and willing implement this feature ?
vertx-dependencies dependencyManagement section has references to multiple vertx artifacts that do not exist -
io.vertx:vertx-consul
io.vertx:vertx-mongo
io.vertx:vertx-mail
io.vertx:vertx-jgroups (last released 3.5.0.Beta1)
io.vertx:vertx-maven-service-factory-parent (last released 3.1.0)
I checked on maven central and they were last released for version 3.5.1 (unless stated along side the artifact) and are still in the 3.5.3 branch and master (3.6) so I guess they were never removed when the projects changed.
Vert.x 4.4.5 appears to have a dependency on jackson-core 2.15.0, which introduced a breaking change in the default max String value length (FasterXML/jackson-core#1014).
Would you please consider updating the jackson-core dependency in a future release?
Bumps:
Fixes
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.