Housekeeping: Update 3rd party dependencies #3786
Conversation
Update negative tests for expected number of result messages.
osulzhenko
added
dependencies
Net-burst
changed the title
There was a problem hiding this comment.
LGTM, no Maven conflicts or issues. But could you please also update a functional test: PBS should validate request as alias request and emit proper warnings when validation fails for request?
The error message changed due to an update in the json-schema-validator dependency to:
and: "Bid response should contain warning"
assert bidResponse.ext?.warnings[PREBID]?.code == [999, 999]
assert bidResponse.ext?.warnings[PREBID]*.message ==
["WARNING: request.imp[0].ext.prebid.bidder.${APPNEXUS.value} was dropped with a reason: request.imp[0].ext.prebid.bidder.${APPNEXUS.value} failed validation.\n" +
"\$: must be valid to one and only one schema, but 0 are valid\n" +
"\$: required property 'placement_id' not found\n" +
"\$: required property 'inv_code' not found\n" +
"\$: required property 'placementId' not found\n" +
"\$: required property 'member' not found\n" +
"\$: required property 'invCode' not found",
"WARNING: request.imp[0].ext must contain at least one valid bidder"]
|
Hi, updated the PR with the functional test change. Thanks for reviewing. |
extra/pom.xml
Outdated
| <dependency> | ||
| <groupId>commons-logging</groupId> | ||
| <artifactId>commons-logging</artifactId> | ||
| <version>${commons-logging.version}</version> | ||
| </dependency> |
There was a problem hiding this comment.
Why are you adding this new dependency?
There was a problem hiding this comment.
It's getting pulled in at a vulnerable version by another dependency, and this will pin it at a non-vulnerable version.
There was a problem hiding this comment.
@JimTharioAmazon I think what @CTMBNara meant is why the dependency was pulled into the project only to define the version. This is usually an extreme measure. There are 3 material project dependencies pulling in the commons-logging library: httpclient, mockserver-client-java and google-cloud-storage by one of the modules. The correct way forward is to look into the actual usage. I did a quick glance, and you should be able to exclude this dependency from all of them. And the google-cloud-storage dependency could also be bumped. One of the newer versions outright removed this dependency.
extra/pom.xml
Outdated
| @@ -120,6 +121,11 @@ | |||
| <artifactId>commons-compress</artifactId> | |||
| <version>${commons.compress.version}</version> | |||
| </dependency> | |||
| <dependency> | |||
| <groupId>commons-logging</groupId> | |||
| <artifactId>commons-logging</artifactId> | |||
There was a problem hiding this comment.
Leaving a separate remark. This looks unnecessary. This dependency can be excluded from other dependencies that rely on it without any visible issues.
Remove pinned commons-logging version. Add exclusions to httpclient and mockserver-client-java.
Add exclusion for commons-logging.
|
Hi, thanks for the feedback again. I've updated the PR. I removed the pinned commons-logging, and added exclusions to httpclient, mockserver-client-java in extra/pom.xml and also to google-cloud-storage in extra/modules/greenbids-real-time-data/pom.xml. I'll look at the versions of google-cloud-storage that dropped commons-logging and see what works there. |
There was a problem hiding this comment.
LGTM with a nitpick due to wrong indentations in src/test/java/org/prebid/server/geolocation/MaxMindGeoLocationServiceTest.java
I won't push to fix this as there is an upcoming project-wide update to Checkstyle enforcement, so there will be a blanket style inconsistency fix happening.
Fixed indentation.
|
A functional test failure looks like flak. @osulzhenko FYI |
🔧 Type of changes
✨ What's the context?
🧠 Rationale behind the change
Update dependencies to improve security posture.
🔎 New Bid Adapter Checklist
🧪 Test plan
mvn clean packagefor build and test after each change.🏎 Quality check