Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[cross-project-issues-dev] proposed Orbit update: switch from com.spotify.docker.client to org.mandas.docker.client

Over on orbit-dev, Roland Grunberg suggested that I notify this list about this proposed change due to the potential impact on other projects.

Please refer to for detailed background info.

In a nutshell, com.spotify.docker.client (currently available via Orbit) is no longer maintained and has dependencies with CVEs.  A Java docker client is needed by linux-tools docker tooling (and at least one downstream project which is maintained by my team).  org.mandas.docker.client is a fork of Spotify Docker Client which is being actively maintained with special consideration for CVE mitigation.  It preserves the existing interface but changes the package name from com.spotify to org.mandas, so projects using it as a dependency will need to make some updates (but they should be mostly straightforward).  The dependency set is almost entirely updated and in some cases changed in order to eliminate problematic or unmaintained dependencies.  The proposal is to replace com.spotify.docker.client with org.mandas.docker.client in Orbit. This will require a large number of updates in Orbit (many of the updates should be made anyway due to CVEs in the versions which are currently available in Orbit).  The proposed list of changes follows.

Update to org.slf4j.api 1.7.29, remove 1.7.2 and 1.7.10

Update jackson to 2.10.1, remove 2.9.9/2.9.93 (this set of changes will include com.fasterxml.jackson.core.jackson-annotations, 
com.fasterxml.jackson.core.jackson-core, com.fasterxml.jackson.core.jackson-databind, com.fasterxml.jackson.datatype.jackson-datatype-guava, com.fasterxml.jackson.jaxrs.jackson-jaxrs-base, com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider)

Update to jersey 2.29.1, remove 2.22.1 (this set of changes will include org.glassfish.jersey.apache.connector, org.glassfish.jersey.bundles.repackaged.jersey-guava, org.glassfish.jersey.containers.servlet, org.glassfish.jersey.containers.servlet.core, org.glassfish.jersey.core.jersey-client, org.glassfish.jersey.core.jersey-common, org.glassfish.jersey.core.jersey-server, org.glassfish.jersey.ext.entityfiltering,

Update to javax.activation 1.1.1, remove 1.1.0

Update to org.apache.commons.compress 1.19, remove 1.6.0, 1.15.0, 1.18.0

Update to com.github.jnr.unixsocket 0.24.0, remove 0.18.0

Update to org.mockito.core 3.2.0, remove 2.23.0

Update to ch.qos.logback.* 1.2.3, remove 1.0.7, 1.1.2 (this set of changes will include ch.qos.logback.classic, ch.qos.logback.core, ch.qos.logback.slf4j)

Add org.immutables.value 2.8.2

Add 0.18.0

Add  1.1

Add joda-time 2.10.5

Add org.awaitility 4.0.1

Add com.squareup.okhttp3.mockwebserver 4.2.2 

Add com.spotify.hamcrest-jackson 1.1.5

Add com.spotify.hamcrest-pojo 1.1.5

Back to the top