Keep Derby test dependency on a Java 11-compatible release (10.15.2.0)#96
Conversation
Bumps org.apache.derby:derby from 10.14.2.0 to 10.17.1.0. --- updated-dependencies: - dependency-name: org.apache.derby:derby dependency-version: 10.17.1.0 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
Investigation: why this bump fails CI, and the resolutionCI failure root causeAll Two independent problems are introduced by bumping
Derby minimum-JVM by branch (downloads page):
Security assessment (CVE-2022-46337)
The only release that fixes the CVE is 10.17.1.0, which requires Java 21 and would drop the project's Java 11 support. Given the vulnerability is not reachable, the Dependabot alert (#124) has been dismissed as ResolutionInstead of 10.17.1.0, the test dependency is bumped to Derby 10.15.2.0 — the newest release still supporting Java 9+ (hence Java 11) — and the split modules are added to the test classpath:
VerificationRan the
Since this PR proposes 10.17.1.0 (incompatible with the Java 11/17 matrix rows), it will be superseded by the 10.15.2.0 change and can be closed. |
Derby 10.17.1.0 requires Java 21 and splits EmbeddedDriver into derbytools, breaking the Java 11/17 rows of the CI matrix. Derby is a test-only embedded database here and the CVE-2022-46337 LDAP authenticator is never used, so bump to 10.15.2.0 (newest release supporting Java 9+) and add the derbytools and derbyshared modules to the test classpath instead.
Bumps org.apache.derby:derby from 10.14.2.0 to 10.17.1.0.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.