This page captures the dependency upgrade situation in the Policy Framework during the London development
Dependency| Version in Policy Framework | Current Version | latest Version |
|---|
Issue |
|---|
| org.glassfish.jaxb:jaxb-runtime:2.3.8 | org.glassfish.jaxb:jaxb-runtime:4.0.2 | Needs Jakarta types/annotations |
| org.hibernate:hibernate-core:5.6.15.Final | org.hibernate:hibernate-core:6.1.7.Final | Needs Spring 6 |
| jakarta.validation:jakarta.validation-api:2.0.2 | jakarta.validation:jakarta.validation-api |
| :3.0.2 |
|
| javax.xml.bind:jaxb-api:2.3.1 | jakarta.xml.bind:jakarta.xml.bind-api:4.0.0 | Last update to javax was in 2018 |
| javax.servlet:javax.servlet-api:4.0.1 | jakarta.servlet:jakarta.servlet-api:6.0.0 |
:ast | Last update to javax was in 2018 |
| javax.ws.rs:javax.ws.rs-api:2.1.1 | jakarta.ws.rs:jakarta.ws.rs-api:3.1.0 | Last update to javax was in 2018 |
| org.glassfish.jersey.core:jersey-server:2.38 | org.glassfish.jersey.core:jersey-server:3.1.1 | Also other Jersey dependencies, needs Jakarta types/annotations |
| org.eclipse.jetty:jetty-http:10.0.13 | org.eclipse.jetty:jetty-http:11.0.13 | Also other Jetty dependencies, needs Jakarta types/annotations, no longer |
suppports | supports Swagger servlet, downgrade from oparent in Policy Framework |
| ch.qos.logback:logback-core:1.2.11 | ch.qos.logback:logback-core:1.4.5 | Needs Springboot 3 |
downgrade | , downgraded from oparent in Policy Framework |
| org.slf4j:slf4j-api:1.7.36 | org.slf4j:slf4j-api:2.0.6 | Needs Springboot 3 |
| org.springframework:spring-core:5.3.25 | org.springframework:spring-core:6.0.4 | Also other Spring dependencies, needs Java 17, downgraded from oparent in Policy Framework |
| org.springframework.security:spring-security-test:5.8.1 | org.springframework.security:spring-security-test:6.0.1 | Needs Spring 6 |
| org.springframework.boot:spring-boot-starter-web:2.7.8 | org.springframework.boot:spring-boot-starter-web:3.0.2 | Also other Springboot dependencies |
| org.apache.tomcat.embed:tomcat-embed-core:9.0.71 | org.apache.tomcat.embed:tomcat-embed-core:10.1.5 | Needs Spring 6 and Springboot 3 |
downgrade from oparent| , downgraded from oparent in Policy Framework |
Issues
- The main issue is the move from javax. to jakarta. for all the REST annotations and types. This causes widespread but trivial code changes in most components.
- The removal of the Swagger servlet is not an issue from a functional point of view because we ahve switched to an OpenAPI first approach in London. However, there are some minor code changed in policy/common endpoints and in components that use policy/common endpoints to remove this functionality
- We can't step the version of the logging dependencies because the new version of those dependencies does not work with Springboot 2
- The new versions of hibernate and tomcat do not work with Spring 5 and Springboot 2
- The main blocker is policy/xacml-pdp and the javax XML bind libraries. The com.att.research:xacml-pdp dependency uses javax XML binding. If this dependency was updated, then all the other work for updating can be done in the Policy Framework.