-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: updating tomcat version to v10.1.33 #3939
Closed
Closed
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we pin just one extra dependency for upgrade? Does it make sense to update the spring-boot-starter-web patch version rather than just one specific dependency? This way we would be pinning one dependency after another that would be difficult to manage.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it has 4 dependencies. 3 of them are tomcat and 1 is jakarta-annotations-api. all 3 tomcat dependencies need to be upgraded. I dont think there will be any issue in upgrading jakarta-annotations-api to latest version, it has no breaking changes or vulnerabilities in the latest version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tomcat is a transitive dependency of spring-boot-starter-web. Why do we upgrade only the tomcat and not the whole spring-boot-starter-web (which is already 2 patches behind)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
only tomcat is listed to be upgraded to this particular version for v3. its mentioned in the description of the task for dependency upgrade.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now I see, it was not clear which issue is the PR related to as there is no reference. Even though the task mentions tomcat specifically, we should bear in mind that spring dependencies are provided as versioned sets and are tested together. Mixing spring boot transitive dependencies across different versions may bring unexpected troubles because these combinations are not tested and not guaranteed by spring to work. Such request to update a specific transitive dependency should imply upgrade of the main package we depend on, unless there is very strong reason not to do so.