camunda-bpm-platform: Add `camunda-only-bom` which doesn't include any third-party libraries
Environment
7.20.0-alpha6
Description
Consider removing 3rd party dependencies from camunda-bom.
While reading camunda-bom pom.xml I noticed it includes dependency management for mybatis, joda-time and java-uuid-generator. IIRC a BOM should only provide dependency management for the modules managed directly by the project.
Solution Ideas
Move dependency management for 3rd party dependencies from the bom to the projects parent pom.
Hints
About this issue
- Original URL
- State: closed
- Created 9 months ago
- Comments: 22 (20 by maintainers)
Commits related to this issue
- feat(bom): introduce `camunda-only-bom` (#3863) related to camunda/camunda-bpm-platform#3795 — committed to camunda/camunda-bpm-platform by cachescrubber 7 months ago
Hi @tasso94,
I have created issues for mybatis and joda-time. Thank you for taking a more regular upgrade policy into consideration.
Best, Lars
Hi all. Continuing on the off-topic outdated libraries… There is a critical vulnerability (CVE-2019-17571) log4j that is used by java-uuid-generator. It was fixed in version 4. Is there a plan to upgrade it?
Hi @tasso94, thanks for coming back to my issue. I maintain a corporate maven parent where I include several BOMs from different sources. When third-party libraries are managed in one of those boms it becomes quite hard to analyse where the version is actually coming from. Why should I expect/How should I know e.g. joda-time is being version managed by the camundas bom? The notably exception in my case is the spring-boot-dependencies bom, where I rely on the spring team to manage a curated list of 3rd party versions.
Slightly off-topic, but related. The third party versions managed in the camunda-bom are quite outdated. Why is that?
Thanks, Lars