Fork me on GitHub
#tools-deps
<
2021-03-09
>
introom11:03:28

Do you know how to auth with

with deps without setting the $HOME/.maven config ?

alexmiller13:03:28

I don’t think you can

borkdude14:03:18

Just some feedback: I've had the cognitect test-runner problem several times again today, and I'm pretty sure I didn't interrupt anything

alexmiller14:03:11

noted, update coming soon

alexmiller14:03:35

I am also wondering if there is some issue with the whole shelling out process not running to completion or something

alexmiller14:03:07

are you running this in some way such that ~/.gitlibs doesn't exist each time?

borkdude14:03:24

I am sometimes just rm -rf ~/.gitlibs (because of problems) and then when I try again, everything works like expected. but if I go to another project which uses a different SHA of the test runner, I run into this problem

zane16:03:15

I recall there’s a way to get clj / clojure to include its own dependencies in -Stree, but I don’t remember what it was. Could someone remind me?

seancorfield17:03:38

@zane If you use -Sdeps, they'll be included in -Stree I believe. If you use -X:deps tree they won't, as I recall.

zane17:03:56

Hmm. Like so? All I’m seeing is spec.

❯ clojure -Stree -Sdeps '{}'
org.clojure/clojure 1.10.2
  . org.clojure/spec.alpha 0.2.194
  . org.clojure/core.specs.alpha 0.2.56

seancorfield17:03:21

Oh, I misread your question. clj/`clojure` are shell scripts so they do not have dependencies, but what I think you mean is you want to see the tools.deps.alpha stuff?

(! 843)-> clojure -Stree -A:deps
org.clojure/clojure 1.10.2
  . org.clojure/spec.alpha 0.2.194
  . org.clojure/core.specs.alpha 0.2.56
org.clojure/tools.deps.alpha 0.10.889
  . org.apache.maven.resolver/maven-resolver-api 1.6.1
  . org.apache.maven.resolver/maven-resolver-spi 1.6.1
    . org.apache.maven.resolver/maven-resolver-api 1.6.1
  . org.apache.maven.resolver/maven-resolver-impl 1.6.1
    . org.apache.maven.resolver/maven-resolver-api 1.6.1
    . org.apache.maven.resolver/maven-resolver-spi 1.6.1
    . org.apache.maven.resolver/maven-resolver-util 1.6.1
    . org.apache.commons/commons-lang3 3.8.1
    . org.slf4j/slf4j-api 1.7.30 :newer-version
  . org.apache.maven.resolver/maven-resolver-util 1.6.1
... and a screenful more ...

zane17:03:01

Probably! This is that issue I mentioned before where a third-party security scan is flagging Jetty as having vulnerabilities.

zane17:03:16

I’m trying to figure out which version of Jetty winds up being included in the .jars the clj and clojure shell scripts rely on.

zane17:03:25

I think what you posted above does what I want.

zane17:03:12

The vulnerability they’re worried about was fixed in org.eclipse.jetty_jetty-io 9.4.36, but alas it looks like tools.deps still relies on org.eclipse.jetty/jetty-io 9.4.24.v20191120.

alexmiller18:03:18

the chain of deps down to that can be upgraded to address that, just hasn't yet

alexmiller18:03:31

or that is, it has been, but tools.deps isn't using it yet

alexmiller18:03:39

but I will get that in the next build

seancorfield18:03:06

@zane That vulnerability is in the server or the client portion of that library? ISTR that t.d.a uses only the non-vulnerable part of Jetty (we had this discussion already, didn't we?)

alexmiller18:03:46

I don't think it's an issue, but upgrading regardless

alexmiller18:03:06

committed, will be in next build

zane18:03:44

It’s definitely not a real issue, but thank you all the same @U064X3EF3!

zane18:03:55

@U04V70XH6 > That vulnerability is in the server or the client portion of that library? Server. > we had this discussion already, didn’t we? We sure did. Our partner’s security team keeps flagging this issue even though in the past they’ve accepted our explanation that our software doesn’t use Jetty’s web server. 😩

seancorfield18:03:40

Sorry 😞 Some of those security folks can be... a bit intransigent...

zane18:03:39

Yeah, I mean, I understand their position but it’s definitely a hassle.