So the “provided” issue could be configuration of the enforcer. > Filtering Dependency Errors > By default, all dependency convergence errors are reported, and any single > error will fail the build. If you want to tune which dependency errors are > reported and fail the build, you can add the following optional parameters: > > • includes - A list of artifacts for which dependency convergence > should be enforced. Not specifying any includes is interpreted the same as > including all artifacts. > • excludes - A list of artifacts for which dependency convergence > should not be enforced. These are exceptions to the includes. > • excludedScopes - A list of scopes of artifacts for which dependency > convergence should not be enforced. Not specifying any scopes is interpreted > as having the following scopes excluded: provided, test.
Best, Dave > On Jan 8, 2025, at 12:19 PM, PJ Fanning <fannin...@gmail.com> wrote: > > The logs look like they come from Maven Enforcer and are based on the > poms published to Maven Central. > > https://maven.apache.org/enforcer/enforcer-rules/dependencyConvergence.html > > On Wed, 8 Jan 2025 at 21:16, Dave Fisher <w...@apache.org> wrote: >> >> >> >>> On Jan 8, 2025, at 11:13 AM, Tim Allison <talli...@apache.org> wrote: >>> >>> Thank you, all. I'm sorry for the noise. >>> >>> As you all point out, these are not a POI or even XMLBeans issue, and >>> provided should be, ahem, provided. >>> >>> We added convergence checks in Tika after an irate downstream user >>> complained. >> >> Just curious if the irate user complaint was based on SBOMs? If so, were >> they using CycloneDS generated by a Maven build, or SPDX from GitHub’s >> Dependency graph Insights? >> >>> On Tika, we "fix" the convergence problems by specifying the >>> most recent version in the dependencyManagement section of our parent pom. >>> This relies on the hope of backward compatibility for the more recent >>> version for a conflict, and it also relies on unit tests and large scale >>> regression testing (along the lines of what PJ (or was it Dominik?) >>> suggested). >>> >>> Again, many thanks! >> >> Best, >> Dave >>> >>> Cheers, >>> >>> Tim >>> >>> On Wed, Jan 8, 2025 at 12:41 PM Dominik Stadler >>> <dominik.stad...@gmx.at.invalid> wrote: >>> >>>> Hi, >>>> >>>> To be honest, I also don't see too much value in applying such checks. >>>> There will always be failures as soon as larger dependencies are added to a >>>> project and it is nearly impossible to avoid it while at the same time >>>> keeping dependencies up-to-date for fixing security issues. >>>> >>>> Dominik. >>>> >>>> >>>> On Wed, Jan 8, 2025 at 4:09 PM PJ Fanning <fannin...@apache.org> wrote: >>>> >>>>> We won't be changing this for the release. >>>>> I, personally, do not understand the use of strict dependency convergence >>>>> checks. If you have a few dependencies and those dependencies have common >>>>> transitive dependencies - you are almost guaranteed to have a convergence >>>>> issue. >>>>> Why should these tools not be intelligent enough to spot that log4j >>>> 2.24.2 >>>>> and 2.24.3 differ only at the patch level (semantic versioning)? >>>>> For me, strict dependency convergence checks are a very poor substitute >>>>> for users running acceptance tests when they want to change the versions >>>> of >>>>> their dependencies. >>>>> You should also strongly consider adding more dependencies in your builds >>>>> so that you control the version of the jars explicitly instead of relying >>>>> on the versions in your transitive dependencies. This would also make >>>> your >>>>> dependency convergence checks happy. >>>>> >>>>> >>>>> >>>>> On 2025/01/08 14:47:10 Joep Weijers wrote: >>>>>> Hi all, >>>>>> Great to hear that 5.4.0 is almost released! I tested the version out >>>>> and did notice the following dependency convergence issue on >>>>> org.apache.logging.log4j:log4j-api: >>>>>> (Small Maven quickstart archetype pom with a dependency on poi-ooxml >>>>> 5.4.0, running `mvn dependency:tree -Dverbose >>>>> -Dincludes=org.apache.logging.log4j:log4j-api`) >>>>>> [INFO] --- dependency:3.6.1:tree (default-cli) @ test-poi-ooxml --- >>>>>> [INFO] com.topdesk.test:test-poi-ooxml:jar:1.0-SNAPSHOT >>>>>> [INFO] \- org.apache.poi:poi-ooxml:jar:5.4.0:compile >>>>>> [INFO] +- org.apache.poi:poi:jar:5.4.0:compile >>>>>> [INFO] | \- (org.apache.logging.log4j:log4j-api:jar:2.24.3:compile >>>> - >>>>> omitted for duplicate) >>>>>> [INFO] +- org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile >>>>>> [INFO] | \- (org.apache.logging.log4j:log4j-api:jar:2.24.2:compile >>>> - >>>>> omitted for conflict with 2.24.3) >>>>>> [INFO] \- org.apache.logging.log4j:log4j-api:jar:2.24.3:compile >>>>>> Not sure if you’d like to address this before release, but this would >>>>> make our build with the dependencyConvergence rule enabled in the Maven >>>>> enforcer plugin unhappy. For now I have fixed it by excluding the >>>> log4j-api >>>>> dependency from poi-ooxml. >>>>>> Kind regards, >>>>>> Joep Weijers >>>>>> >>>>>> On 2025/01/07 19:27:58 Tim Allison wrote: >>>>>>> +1 >>>>>>> >>>>>>> Apologies for my delay. Looks good. >>>>>>> >>>>>>> Confirmed src.tgz digest >>>>>>> Built locally and ran tests >>>>>>> Integrated with Tika's main branch. >>>>>>> >>>>>>> Thank you PJ, Dominik and team! >>>>>>> >>>>>>> P.S. I did notice some convergence issues. I don't think these are a >>>>>>> showstopper...not clear if we should fix these in XMLBeans or let >>>>>>> downstream users fix them in the next release. >>>>>>> >>>>>>> [ERROR] Dependency convergence error for >>>>>>> org.codehaus.plexus:plexus-utils:jar:3.5.1 paths to dependency are: >>>>>>> [ERROR] >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime >>>>>>> [ERROR] +-org.apache.maven:maven-settings:jar:3.9.9:runtime >>>>>>> [ERROR] >>>> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime >>>>>>> [ERROR] and >>>>>>> [ERROR] >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime >>>>>>> [ERROR] >>>>> +-org.apache.maven:maven-settings-builder:jar:3.9.9:runtime >>>>>>> [ERROR] >>>> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime >>>>>>> [ERROR] and >>>>>>> [ERROR] >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime >>>>>>> [ERROR] >>>>> +-org.apache.maven:maven-settings-builder:jar:3.9.9:runtime >>>>>>> [ERROR] >>>>>>> +-org.codehaus.plexus:plexus-sec-dispatcher:jar:2.0:runtime >>>>>>> [ERROR] >>>>> +-org.codehaus.plexus:plexus-utils:jar:3.4.1:runtime >>>>>>> [ERROR] and >>>>>>> [ERROR] >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime >>>>>>> [ERROR] >>>>>>> +-org.apache.maven:maven-repository-metadata:jar:3.9.9:runtime >>>>>>> [ERROR] >>>> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime >>>>>>> [ERROR] and >>>>>>> [ERROR] >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime >>>>>>> [ERROR] +-org.apache.maven:maven-artifact:jar:3.9.9:runtime >>>>>>> [ERROR] >>>> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime >>>>>>> [ERROR] and >>>>>>> [ERROR] >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime >>>>>>> [ERROR] >>>>> +-org.apache.maven:maven-resolver-provider:jar:3.9.9:runtime >>>>>>> [ERROR] >>>> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime >>>>>>> [ERROR] and >>>>>>> [ERROR] >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime >>>>>>> [ERROR] >>>>>>> +-org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.9.0.M3:runtime >>>>>>> [ERROR] >>>> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime >>>>>>> [ERROR] and >>>>>>> [ERROR] >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime >>>>>>> [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime >>>>>>> [ERROR] and >>>>>>> [ERROR] >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile >>>>>>> [ERROR] +-org.apache.maven:maven-model:jar:3.9.9:runtime >>>>>>> [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime >>>>>>> [ERROR] and >>>>>>> [ERROR] >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile >>>>>>> [ERROR] +-org.apache.maven:maven-plugin-api:jar:3.9.9:runtime >>>>>>> [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime >>>>>>> [ERROR] >>>>>>> [ERROR] >>>>>>> [ERROR] Dependency convergence error for >>>>>>> org.codehaus.plexus:plexus-classworlds:jar:2.6.0 paths to dependency >>>>> are: >>>>>>> [ERROR] >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime >>>>>>> [ERROR] >>>>>>> +-org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.9.0.M3:runtime >>>>>>> [ERROR] >>>>> +-org.codehaus.plexus:plexus-classworlds:jar:2.6.0:runtime >>>>>>> [ERROR] and >>>>>>> [ERROR] >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile >>>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime >>>>>>> [ERROR] >>>>> +-org.codehaus.plexus:plexus-classworlds:jar:2.8.0:runtime >>>>>>> [ERROR] and >>>>>>> [ERROR] >>>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT >>>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile >>>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile >>>>>>> [ERROR] +-org.apache.maven:maven-plugin-api:jar:3.9.9:runtime >>>>>>> [ERROR] >>>>> +-org.codehaus.plexus:plexus-classworlds:jar:2.8.0:runtime >>>>>>> >>>>>>> >>>>>>> On Mon, Jan 6, 2025 at 4:56 PM PJ Fanning <fa...@apache.org> wrote: >>>>>>> >>>>>>>> We need at least 1 more review from a POI PMC member before we can >>>>>>>> proceed. If anyone has time, it would be much appreciated. >>>>>>>> >>>>>>>> >>>>>>>> On 2025/01/02 13:29:43 Dominik Stadler wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I tested the staged binaries with various projects and reviewed >>>>> contents >>>>>>>> of >>>>>>>>> the source-distribution. Also compilation from source did work. >>>> So >>>>>>>>> everything fine as far as I see. >>>>>>>>> >>>>>>>>> I vote +1 for release! >>>>>>>>> >>>>>>>>> Thanks PJ for preparing the release! Dominik. >>>>>>>>> >>>>>>>>> On Sun, Dec 29, 2024 at 8:19 PM PJ Fanning >>>> <fa...@yahoo.com.invalid >>>>>> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hello POI Community, >>>>>>>>>> >>>>>>>>>> This is a call for a vote to release Apache POI version 5.4.0 >>>>> (RC2). >>>>>>>>>> >>>>>>>>>> The discussion thread: >>>>>>>>>> >>>> https://lists.apache.org/thread/4sd7p5z2cxp0l9wb2orw4n0gc9w348gw >>>>>>>>>> >>>>>>>>>> The release candidate: >>>>>>>>>> https://dist.apache.org/repos/dist/dev/poi/5.4.0-RC2/ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> This release has been signed with a PGP key available here: >>>>>>>>>> https://downloads.apache.org/poi/KEYS >>>>>>>>>> >>>>>>>>>> Release Notes: >>>>>>>>>> >>>>> https://dist.apache.org/repos/dist/dev/poi/RELEASE-NOTES-5.4.0.txt >>>>>>>>>> >>>>>>>>>> I will add the svn tag REL_5_4_0 if the vote passes. >>>>>>>>>> >>>>>>>>>> Svn commit ID: >>>>> https://svn.apache.org/repos/asf/poi/trunk@1922754 >>>>>>>>>> >>>>>>>>>> Please download, verify, and test. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> We have also staged jars in the Apache Nexus Repository. >>>>>>>>>> These were built with the same code as appears in this Source >>>>> Release >>>>>>>>>> Candidate. >>>>>>>>>> We would appreciate if users could test with these too. >>>>>>>>>> >>>>>>>>>> If anyone finds any serious problems with these jars, please >>>> also >>>>>>>> notify >>>>>>>>>> us on this thread. >>>>>>>>>> >>>>>>>>>> >>>>> https://repository.apache.org/content/groups/staging/org/apache/poi/ >>>>>>>>>> >>>>>>>>>> In gradle, you can add this repository. >>>>>>>>>> >>>>>>>>>> maven { >>>>>>>>>> url "https://repository.apache.org/content/groups/staging/ >>>> " >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> The VOTE will pass if we have more positive votes than negative >>>>> votes >>>>>>>>>> and there must be a minimum of 3 approvals from POI PMC >>>> members. >>>>>>>>>> >>>>>>>>>> I will leave the vote open for at least a week. >>>>>>>>>> >>>>>>>>>> [ ] +1 approve >>>>>>>>>> [ ] +0 no opinion >>>>>>>>>> [ ] -1 disapprove with the reason >>>>>>>>>> >>>>>>>>>> To learn more about Apache POI, please see >>>>> https://poi.apache.org/ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Checklist for reference: >>>>>>>>>> [ ] Download links are valid. >>>>>>>>>> [ ] Checksums and signatures. >>>>>>>>>> [ ] LICENSE/NOTICE files exist >>>>>>>>>> [ ] No unexpected binary files >>>>>>>>>> [ ] Source files have ASF headers >>>>>>>>>> [ ] Can compile from source >>>>>>>>>> >>>>>>>>>> To compile from the source, please refer to: >>>>>>>>>> https://poi.apache.org/devel/index.html >>>>>>>>>> >>>>>>>>>> Some notes about verifying downloads can be found at: >>>>>>>>>> https://poi.apache.org/download.html >>>>>>>>>> >>>>>>>>>> Here is my +1 (binding). >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> PJ Fanning (Apache POI PMC member) >>>>>>>>>> >>>>>>>>>> >>>>> --------------------------------------------------------------------- >>>>>>>>>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org >>>>>>>>>> For additional commands, e-mail: dev-h...@poi.apache.org >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>> --------------------------------------------------------------------- >>>>>>>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org >>>>>>>> For additional commands, e-mail: dev-h...@poi.apache.org >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org >>>>> For additional commands, e-mail: dev-h...@poi.apache.org >>>>> >>>>> >>>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org >> For additional commands, e-mail: dev-h...@poi.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > For additional commands, e-mail: dev-h...@poi.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
