Hi Re transient dependency: an option would have been to exclude the commons dependency on the directory dependency and explicitly add a more recent commons dependency on the project. Commons generally does a fairly decent job on keeping backwards compatibility.
Regards Felix -- Typos caused by my iPhone > Am 21.12.2016 um 17:14 schrieb Julian Reschke <julian.resc...@gmx.de>: > > So, summarizing: > > 1) I was reviewing build dependencies after discovering an old pull request > for Jackrabbit, complaining on the use of a security challenged version of > commons-collections (see https://issues.apache.org/jira/browse/JCR-4080) > > 2) Asked Manfred to bump up the version of org.apache.directory.api.api-all > in auth-ldap, which itself had a dependency on the old version of > commons-collections (see https://issues.apache.org/jira/browse/OAK-5336) > > 3) Tests passed on our Windows machines, but not on Jenkins. Turns out that > tests were disabled on Windows (see > https://issues.apache.org/jira/browse/OAK-2904) > > 4) Finally fixed tests by also bumping up the test dependency for the > directory server implementation. > > 5) After some digging, found *why* the tests were failing on Windows, fixed > that, and re-enabled them (https://issues.apache.org/jira/browse/OAK-5358) > > 6) We're still referencing a Release Candidate for > org.apache.directory.api.api-all, and the API *has* changed in the last 12 > months. We need to make sure that once that is released, we update our code > (and branches as well). Opened https://issues.apache.org/jira/browse/OAK-5361 > (scheduling it for 1.8) to track this. > > Best regards, Julian
