Closed markusmuellerusi closed 4 months ago
Alpine snapshots are published to the OSSRH snapshot repository, e.g. https://oss.sonatype.org/content/repositories/snapshots/us/springett/alpine-common/
This repository is configured in Dependency-Track's POM: https://github.com/DependencyTrack/dependency-track/blob/1f2cc281a14de473485f35846e96f89a738bf321/pom.xml#L142-L151
Releasing new versions of Alpine for every single change is currently not practical for us. A new version of Alpine will be released and published to Maven Central when we are certain that it's fully operational and doesn't cause any regressions in DT.
Then please publish Alpine 2.2.6. It's missing. I do not really want to use a snapshot. But 2.2.6 has the run-in-transaction, which in used in Dependency-Track 4.11. Thanks in advance and best wishes.
I get the frustration, in particular when your organization does not allow consumption from external snapshot repositories.
Then please publish Alpine 2.2.6. It's missing. I do not really want to use a snapshot. But 2.2.6 has the run-in-transaction, which in used in Dependency-Track 4.11.
Version 4.11.x of Dependency-Track is using Alpine 2.2.5: https://github.com/DependencyTrack/dependency-track/blob/a0c5045bb700aa1e03bbc33db286717f367c7727/pom.xml#L24-L28
Note that the master
branch is used for the next minor version (hence being 4.12.0-SNAPSHOT
). We create separate release branches (i.e. 4.11.x
as linked above) for backporting any critical bugfixes.
Version 2.2.6 of Alpine will never be released. Due to various larger changes, among them:
2.2.6-SNAPSHOT
has been changed to 3.0.0-SNAPSHOT
. Dependency-Track 4.12.0-SNAPSHOT
has migrated to Alpine 3.0.0-SNAPSHOT
via https://github.com/DependencyTrack/dependency-track/pull/3730, which was merged yesterday.
If you want to contribute a bugfix (not a feature), you could base your work on the 4.11.x
branch and raise a PR into that. We can then take care of porting the fix to master
.
Usually we do it the other way around (backporting from master
to 4.11.x
), but in the end it doesn't really matter.
Thanks a lot for the clarification!
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Current Behavior
apline projects are required to be published on maven repo. 2.2.6 is missing. (no snapshots, real versions)
Steps to Reproduce
Expected Behavior
Provide used artefacts in official repos.
Dependency-Track Version
4.11.1
Dependency-Track Distribution
Executable WAR
Database Server
Microsoft SQL Server
Database Server Version
No response
Browser
Microsoft Edge
Checklist