MapDB 3.0.10 with guava build fails

[bratwurzt]

Guava dependency version is set as open-ended: <guava.version>[15.0,)</guava.version>

Because of that, build with mapdb fails (in my build, where redhat repos are visible): Failed to collect dependencies at org.mapdb:mapdb:jar:3.0.10 -> com.google.guava:guava:jar:31.1.0.redhat-00001

My question - why don't you set a concrete version?

Every enterprise build I've ever encountered has these versions locked for stability and reliability reasons.

I understand I can lock these versions myself - I'm just wondering about the reason.

[jankotek]

I'm just wondering about the reason.

MapDB 3 was released long time ago, when JDK8 compatibility was not an issue. Exact version leave build open to security vulnerabilities. I guess pinning versus open depends on particular software school. I only put upper bound on EC version, because I participated in development, and it was constantly downloading snapshots from private repos.

MapDB 4 (I am working on that yet again) will have no dependencies (except JDK8). It is written in Java, so there is not even dep on kotlin-stdlib.

[jankotek]

You wrote it is failing with some custom redhat repos. I build 3.0.10 release with JDK8 only, it passed all tests. So if there is some failure that is serious, please open another bug report with stack traces and more info.

[bratwurzt]

I'm just wondering about the reason.

MapDB 3 was released long time ago, when JDK8 compatibility was not an issue. Exact version leave build open to security vulnerabilities. I guess pinning versus open depends on particular software school. I only put upper bound on EC version, because I participated in development, and it was constantly downloading snapshots from private repos.

MapDB 4 (I am working on that yet again) will have no dependencies (except JDK8). It is written in Java, so there is not even dep on kotlin-stdlib.

thank you for replying.