norrisjeremy
commented
6 months ago Hi @tiagomlalves,
Bouncy Castle is not included as a transitive dependency, so there shouldn't be any reason for us to publish a new release.
Thanks, Jeremy
Closed tiagomlalves closed 6 months ago
norrisjeremy
commented
6 months ago Hi @tiagomlalves,
Bouncy Castle is not included as a transitive dependency, so there shouldn't be any reason for us to publish a new release.
Thanks, Jeremy
norrisjeremy
commented
6 months ago You can also verify this by examining the POM published here to Maven Central.
tiagomlalves
commented
6 months ago @norrisjeremy I see BouncyCastle being referenced in https://github.com/mwiede/jsch/blob/master/pom.xml#L89-L94 and whenever jsch is imported by, for example, https://github.com/clj-commons/clj-ssh I see that BouncyCastle as dependency being pulled. In our project, we depend on clj-ssh and we require latest 1.78 or higher. We can exclude the BouncyCastle dependency directly in our project when coming from clj-ssh and put the version we want. Alternatively, wouldn't it be preferable path having a new jsch release with it?
norrisjeremy
commented
6 months ago Hi @tiagomlalves
That is the build POM we use, but is not the POM that is published to Maven Central with the official release. If you look at the POM published to Maven Central, you will see that the Bouncy Castle dependency is omitted entirely.
It sounds like you need to take up this issue with the clj-ssh project if it is pulling in Bouncy Castle as a transitive dependency.
Thanks, Jeremy
norrisjeremy
commented
6 months ago Hi @tiagomlalves,
Also, when I run dependency analysis on clj-ssh, I do not see it pulling in Bouncy Castle as a transitive dependency either, so however your project is gaining Bouncy Castle as a transitive dependency, it is not coming from JSch or clj-ssh.
pom.xml:
<?xml version="1.0" encoding="UTF-8"?>
<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<modelVersion>4.0.0</modelVersion>
<groupId>foo</groupId>
<artifactId>bar</artifactId>
<version>1.0.0</version>
<repositories>
<repository>
<id>clojars.org</id>
<url>https://repo.clojars.org</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.clj-commons</groupId>
<artifactId>clj-ssh</artifactId>
<version>0.6.6</version>
</dependency>
</dependencies>
</project>Dependency analysis:
$ mvn org.apache.maven.plugins:maven-dependency-plugin:3.6.1:tree
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------< foo:bar >-------------------------------
[INFO] Building bar 1.0.0
[INFO] from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- dependency:3.6.1:tree (default-cli) @ bar ---
[INFO] foo:bar:jar:1.0.0
[INFO] \- org.clj-commons:clj-ssh:jar:0.6.6:compile
[INFO] +- org.clojure:tools.logging:jar:1.2.4:compile
[INFO] +- com.github.mwiede:jsch:jar:0.2.15:compile
[INFO] +- net.java.dev.jna:jna:jar:5.14.0:compile
[INFO] \- com.kohlschutter.junixsocket:junixsocket-core:pom:2.8.3:compile
[INFO] +- com.kohlschutter.junixsocket:junixsocket-native-common:jar:2.8.3:compile
[INFO] \- com.kohlschutter.junixsocket:junixsocket-common:jar:2.8.3:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.544 s
[INFO] Finished at: 2024-05-05T08:31:59-05:00Thanks, Jeremy
tiagomlalves
commented
6 months ago @norrisjeremy Thank you for providing further details - you're right. The dependency in our project is caused by another library. I'm sorry about that.
Hi team, is there any plans for a new jsch release with updated BouncyCastle version?