The pom configuration will change to make library configuration management easier.
Add versions-maven-plugin
Make it easy to compare the Lib and Maven Plugins versions currently in use with those published in Maven Central.
mvn versions:display-plugin-updates : Check if the plugin is up to date
mvn versions:display-property-updates : Check if the Lib that Jpsonic directly depends on is up to date
Integrate cve-suppressed.xml
The cve suppression files that existed for each project that makes up the multi-module are integrated into one.
Only cve-suppressed.xml present in Jpsonic's Base directory will be used.
Details
We mainly use three versions-maven-plugin commands.
mvn versions:display-plugin-updates
mvn versions:display-property-updates
mvn versions:display-dependency-updates
However, display-dependency-updates displays all transitive dependencies, so the burden of using it is very heavy. display-property-updates only shows dependencies whose properties are explicitly managed.
Therefore, property management will be promoted more. The configuration is modified to avoid transitive dependency checks.
About Version Properties
They are managed in the parent pom.xml that exists in Jpsonic's Base directory. These include the Libs that Jpsonic directly depends on, and some of the Libs that are transitively dependent on.
Some Libs that are transitively dependent specifically mean overriding Spring Boot Dependencies. If we want to detect and address security flaws in 3rd-pirty-lib before the Spring release, we will obviously need to override them. (However, products with high security risks are relatively limited.)
Additional Note
This pull request will update the plugin and dependent library versions to the latest. As of v114.1, the work on vulnerabilities has already reached a certain level of completion. Starting with v114.2, there will be even more extensive freshness control.
Overview
The pom configuration will change to make library configuration management easier.
Details
We mainly use three versions-maven-plugin commands.
However,
display-dependency-updatesdisplays all transitive dependencies, so the burden of using it is very heavy.display-property-updatesonly shows dependencies whose properties are explicitly managed.Therefore, property management will be promoted more. The configuration is modified to avoid transitive dependency checks.
About Version Properties
They are managed in the parent pom.xml that exists in Jpsonic's Base directory. These include the Libs that Jpsonic directly depends on, and some of the Libs that are transitively dependent on.
Some Libs that are transitively dependent specifically mean overriding Spring Boot Dependencies. If we want to detect and address security flaws in 3rd-pirty-lib before the Spring release, we will obviously need to override them. (However, products with high security risks are relatively limited.)
Additional Note
This pull request will update the plugin and dependent library versions to the latest. As of v114.1, the work on vulnerabilities has already reached a certain level of completion. Starting with v114.2, there will be even more extensive freshness control.