Skip to content

Bulk dependency upgrade 2026-06-28#4566

Merged
janhoy merged 147 commits into
apache:mainfrom
janhoy:deps-main-2026-06-28
Jun 30, 2026
Merged

Bulk dependency upgrade 2026-06-28#4566
janhoy merged 147 commits into
apache:mainfrom
janhoy:deps-main-2026-06-28

Conversation

@janhoy

@janhoy janhoy commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

Dependency upgrades — main branch (2026-06-28)

This branch combines solrbot dependency upgrade PRs that had all CI checks passing on main as of 2026-06-28.

Lockfiles were regenerated, license checksums updated, version-compatibility issues reviewed, and the full test suite verified locally (./gradlew testBUILD SUCCESSFUL, 0 failures across all 24 module test tasks).

Notes

Successfully merged PRs

PR Dependency Version
#4559 com.squareup.okhttp3:okhttp 5.4.0
#4557 org.apache.opennlp 2.5.10
#4542 io.grpc:grpc 1.82.0
#4508 net.java.dev.jna:jna 5.19.1
#4491 com.google.cloud:google-cloud-bom 0.265.0
#4482 io.dropwizard.metrics:metrics-core 4.2.39
#4459 org.immutables:value-annotations 2.12.2
#4437 org.jetbrains.kotlinx:kotlinx-coroutines 1.11.0
#4436 org.jetbrains.kotlinx:kotlinx-datetime 0.8.0-0.6.x-compat
#4434 org.threeten:threetenbp 1.7.3
#4410 org.jetbrains.androidx.navigation3:navigation3-ui 1.1.1
#4409 io.github.oshai:kotlin-logging 8.0.4
#4395 com.fasterxml.jackson:jackson-bom 2.22.0
#4392 org.openapi.generator 7.23.0
#4389 io.nlopez.compose.rules:ktlint 0.6.2
#4365 org.glassfish.hk2:hk2 4.0.1
#4364 com.google.protobuf:protobuf-java 4.35.1
#4363 org.testcontainers:testcontainers 2.0.5
#4362 org.jctools:jctools-core 4.0.6
#4359 joda-time:joda-time 2.14.2
#4353 com.jayway.jsonpath:json-path 3.0.0
#4350 org.codehaus.woodstox:stax2-api 4.3.0
#4348 commons-io:commons-io 2.22.0
#4347 commons-codec:commons-codec 1.22.0
#4346 com.squareup.okio:okio 3.17.0
#4343 Admin UI libraries (compose 1.11.1, decompose 3.5.0, mvikotlin 4.4.0, …)
#4342 io.netty:netty-tcnative 2.0.79.Final
#4341 dev.logchange 1.19.15
#4133 com.nvidia.cuvs:cuvs-java (major) 26.06.0
#4096 org.jetbrains.kotlinx:atomicfu 0.33.0
#3990 dev.langchain4j:langchain4j-bom 1.16.3
#3979 com.nvidia.cuvs.lucene:cuvs-lucene 25.12.0
#3868 com.google.auto.value:auto-value-annotations 1.11.1
#3857 com.nimbusds:nimbus-jose-jwt 10.9.1
#3836 com.ibm.icu:icu4j (major) 78.3
#3749 org.ow2.asm 9.10.1
#3661 com.google.code.gson:gson 2.14.0
#3475 org.jetbrains.kotlin:kotlin 2.4.0
#3218 io.ktor:ktor-bom 3.5.0
#3136 org.glassfish.jaxb:jaxb-runtime (major) 4.0.9
#3130 jakarta.ws.rs:jakarta.ws.rs-api (major) 4.0.0
#3083 com.fasterxml.woodstox:woodstox-core 7.2.1
#3077 io.swagger.core.v3 (swagger3) 2.2.52

solrbot and others added 30 commits May 14, 2026 22:32

@dsmiley dsmiley left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think these machine generated version bump changelog entries is noise that nobody will care about.

Non-machine-generated upgrades (e.g. that take some care/effort), on the other hand, are more useful.

@@ -0,0 +1,7 @@
title: Update swagger3

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to what version?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renovate is weak in specifying version in pr title sometimes. Check toml file. These commit messages will be squashed anyway. Will probably make a squash commit message with one line per dep.

@epugh

epugh commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

@janhoy this is very cool (and ignore my comment on another PR about renovatebot and grouping upgrades), because this is totally what I was asking for. One side effect of doing a bulk upgrade like this is that it might then be a good chance to recheck all our VEX statements. I assume you used some prompts and AI to drive this process? I could imagine a prompt that was "Please look at all the changes in pr 4566 and compare the dependency updates with our ./solr/vex statements and identify which VEX statements could potentially be updated to reflect that the next SOlr version is no longer vulnerable'.

@janhoy

janhoy commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

I used the prompt in #4311

janhoy added 2 commits June 30, 2026 01:48
# Conflicts:
#	solr/core/gradle.lockfile
#	solr/solrj-zookeeper/gradle.lockfile
#	solr/test-framework/gradle.lockfile
@janhoy

janhoy commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

I think these machine generated version bump changelog entries is noise that nobody will care about.

This is an interesiting policy discussion which we shouild have on dev@ . It is definitely noisy to say foo upgraded from 1.2.1 to 1.2.2. It's ultimately the call of RM, but would be nice to make his/her job as easy and scripted as possible.

@janhoy janhoy merged commit 62400f9 into apache:main Jun 30, 2026
7 checks passed
@janhoy janhoy deleted the deps-main-2026-06-28 branch June 30, 2026 00:07
janhoy added a commit that referenced this pull request Jun 30, 2026
Backports the non-UI dependency upgrades from the bulk upgrade #4566:

- apache-opennlp: 2.5.9 -> 2.5.10
- codehaus-woodstox (stax2-api): 4.2.2 -> 4.3.0
- commons-codec: 1.21.0 -> 1.22.0
- commons-io: 2.21.0 -> 2.22.0
- cuvs-java: 25.10.0 -> 26.06.0
- cuvs-lucene: 25.10.0 -> 25.12.0
- dropwizard-metrics: 4.2.38 -> 4.2.39
- fasterxml-jackson: 2.21.2 -> 2.22.0
- fasterxml-woodstox: 7.0.0 -> 7.2.1
- google-autovalue: 1.11.0 -> 1.11.1
- google-cloud-bom: 0.261.0 -> 0.265.0
- google-gson: 2.13.1 -> 2.14.0
- google-protobuf: 4.34.1 -> 4.35.1
- grpc: 1.80.0 -> 1.82.0
- hk2: 3.1.1 -> 4.0.1
- ibm-icu (icu4j): 77.1 -> 78.3
- immutables-valueannotations: 2.12.1 -> 2.12.2
- jakarta-ws-rs-api: 3.1.0 -> 4.0.0
- jaxb: 2.3.9 -> 4.0.9
- jayway-jsonpath: 2.9.0 -> 3.0.0
- jctools: 4.0.5 -> 4.0.6
- jna: 5.18.1 -> 5.19.1
- joda-time: 2.14.0 -> 2.14.2
- langchain4j-bom: 1.9.1 -> 1.16.3
- logchange: 1.19.13 -> 1.19.15
- netty-tcnative: 2.0.77.Final -> 2.0.79.Final
- nimbus-jose-jwt: 10.5 -> 10.9.1
- openapi-generator: 7.20.0 -> 7.23.0
- oshai-kotlin-logging: 8.0.01 -> 8.0.4
- ow2-asm: 9.8 -> 9.10.1
- swagger3: 2.2.22 -> 2.2.52
- testcontainers: 2.0.3 -> 2.0.5
- threeten-bp: 1.7.2 -> 1.7.3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants