Possible issue bumping jars removes dependencies eg tomcat-embed-core causing runtime failures

[pnasrat]

Seen va a springboot app failing image test

Melange: https://github.com/wolfi-dev/os/blob/6d75a44d186104eec842b537973d53b3d61fa557/thingsboard.yaml Pombump: https://github.com/wolfi-dev/os/blob/6d75a44d186104eec842b537973d53b3d61fa557/thingsboard/pombump-deps.yaml

I ended up doing a comparison of

• make package/thingsboard
• compare thingsboard.jar contents with upstream release

make local=-
root@e69246f56aad:/usr/share# diff -W 200 -ay --suppress-common-lines  /tmp/1s /tmp/2s
BOOT-INF/lib/annotations-13.0.jar                                  |    BOOT-INF/lib/annotations-17.0.0.jar
                                                   >    BOOT-INF/lib/javapoet-1.13.0.jar
BOOT-INF/lib/json-smart-2.4.10.jar                                 <
BOOT-INF/lib/kotlin-stdlib-1.4.10.jar                                  |    BOOT-INF/lib/kotlin-reflect-1.9.22.jar
BOOT-INF/lib/kotlin-stdlib-common-1.4.10.jar                               |    BOOT-INF/lib/kotlin-stdlib-1.8.21.jar
                                                   >    BOOT-INF/lib/kotlin-stdlib-common-1.9.10.jar
                                                   >    BOOT-INF/lib/kotlinpoet-jvm-1.16.0.jar
BOOT-INF/lib/nimbus-jose-jwt-9.24.4.jar                                <
BOOT-INF/lib/okio-3.6.0.jar                                    |    BOOT-INF/lib/okio-jvm-3.7.0.jar
BOOT-INF/lib/okio-jvm-3.6.0.jar                                    <
BOOT-INF/lib/protobuf-java-3.25.3.jar                                  |    BOOT-INF/lib/protobuf-java-3.25.5.jar
BOOT-INF/lib/spring-web-6.1.6.jar                                  |    BOOT-INF/lib/spring-web-6.1.12.jar
BOOT-INF/lib/tomcat-embed-core-10.1.19.jar                             <
BOOT-INF/lib/wire-runtime-3.7.1.jar                                |    BOOT-INF/lib/wire-runtime-jvm-4.9.9.jar
BOOT-INF/lib/wire-schema-3.7.1.jar                                 |    BOOT-INF/lib/wire-schema-jvm-4.9.9.jar
root@e69246f56aad:/usr/share# 

Building without pombump correctly generates

2edd4cb25c74:/work/packages# jar tvf /usr/share/thingsboard/bin/thingsboard.jar | grep tomcat
3521056 Wed Feb 14 19:36:50 GMT 2024 BOOT-INF/lib/tomcat-embed-core-10.1.19.jar
261050 Wed Feb 14 19:36:50 GMT 2024 BOOT-INF/lib/tomcat-embed-el-10.1.19.jar
281604 Wed Feb 14 19:36:50 GMT 2024 BOOT-INF/lib/tomcat-embed-websocket-10.1.19.jar

[pnasrat]

Really what needs bumping here is not the leaf deps but the spring boot version

Also I am not sure that the pombump

diff --git a/pom.xml b/pom.xml
index b44fcb6d71..1766bd7264 100755
--- a/pom.xml
+++ b/pom.xml
@@ -42,12 +42,12 @@
         <jakarta.xml.bind-api.version>4.0.2</jakarta.xml.bind-api.version>
         <javax.xml.bind-api.version>2.4.0-b180830.0359</javax.xml.bind-api.version>
         <jaxb-runtime.version>4.0.5</jaxb-runtime.version>
-        <spring-boot.version>3.2.4</spring-boot.version>
-        <spring-data.version>3.2.5</spring-data.version>
-        <spring-data-redis.version>3.2.5</spring-data-redis.version>
-        <spring.version>6.1.6</spring.version>
-        <spring-redis.version>6.2.4</spring-redis.version>
-        <spring-security.version>6.2.4</spring-security.version>
+        <spring-boot.version>3.2.10</spring-boot.version>
+        <spring-data.version>3.2.10</spring-data.version>
+        <spring-data-redis.version>3.2.10</spring-data-redis.version>
+        <spring.version>6.1.12</spring.version>
+        <spring-redis.version>6.2.9</spring-redis.version>
+        <spring-security.version>6.2.6</spring-security.version>
         <jedis.version>5.1.2</jedis.version>
         <jjwt.version>0.12.5</jjwt.version>
         <slf4j.version>2.0.13</slf4j.version>
@@ -81,7 +81,7 @@
         <mail.version>2.0.1</mail.version>
         <curator.version>5.6.0</curator.version>
         <zookeeper.version>3.9.2</zookeeper.version>
-        <protobuf.version>3.25.3</protobuf.version> <!-- A Major v4 does not support by the pubsub yet-->
+        <protobuf.version>3.25.5</protobuf.version> <!-- A Major v4 does not support by the pubsub yet-->
         <grpc.version>1.63.0</grpc.version>
         <tbel.version>1.2.3</tbel.version>
         <lombok.version>1.18.32</lombok.version>

[pnasrat]

The pombump pipeline seems to act on the top level pom

https://github.com/chainguard-dev/melange/blob/main/pkg/build/pipelines/maven/pombump.yaml

 pombump --patch-file ~/src/packages/wolfi-os/thingsboard/pombump-deps.yaml  pom.xml > pom.xml.new
2024/10/18 20:28:24 INFO Have patch: com.nimbusds.nimbus-jose-jwt:9.37.2
2024/10/18 20:28:24 INFO Have patch: com.squareup.okio.okio:3.4.0
2024/10/18 20:28:24 INFO Have patch: org.apache.tomcat.embed.tomcat-embed-core:10.1.25
2024/10/18 20:28:24 INFO Have patch: kotlin-stdlib.kotlin-stdlib:1.4.21
2024/10/18 20:28:24 INFO Have patch: net.minidev.json-smart:2.4.9
2024/10/18 20:28:24 INFO Have patch: com.squareup.wire.wire-schema-jvm:4.9.9
2024/10/18 20:28:24 INFO Have patch: com.google.protobuf.protobuf-java:3.25.5
2024/10/18 20:28:24 INFO Have patch: org.springframework.spring-web:6.1.12
2024/10/18 20:28:24 INFO Checking DEP: org.projectlombok.lombok:
2024/10/18 20:28:24 INFO Patching DM dep org.springframework.spring-web from ${spring.version} to 6.1.12 with scope: import
2024/10/18 20:28:24 INFO Patching DM dep com.google.protobuf.protobuf-java from ${protobuf.version} to 3.25.5 with scope: import
2024/10/18 20:28:24 INFO Patching DM dep com.squareup.wire.wire-schema-jvm from ${wire-schema.version} to 4.9.9 with scope: import
2024/10/18 20:28:24 INFO Adding missing dependency: com.squareup.okio.okio:3.4.0
2024/10/18 20:28:24 INFO Adding missing dependency: org.apache.tomcat.embed.tomcat-embed-core:10.1.25
2024/10/18 20:28:24 INFO Adding missing dependency: kotlin-stdlib.kotlin-stdlib:1.4.21
2024/10/18 20:28:24 INFO Adding missing dependency: net.minidev.json-smart:2.4.9
2024/10/18 20:28:24 INFO Adding missing dependency: com.nimbusds.nimbus-jose-jwt:9.37.2

Can't attach xml file so used txt extensions before and after pom.xml.txt pom.new.xml.txt