tools-deps 2021-03-09 | Slack Archive

Do you know how to auth with

with deps without setting the $HOME/.maven config ?

I don’t think you can

Just some feedback: I've had the cognitect test-runner problem several times again today, and I'm pretty sure I didn't interrupt anything

Alex Miller (Clojure team)14:03:11

noted, update coming soon

Alex Miller (Clojure team)14:03:35

I am also wondering if there is some issue with the whole shelling out process not running to completion or something

Alex Miller (Clojure team)14:03:07

are you running this in some way such that ~/.gitlibs doesn't exist each time?

borkdude14:03:24

I am sometimes just rm -rf ~/.gitlibs (because of problems) and then when I try again, everything works like expected. but if I go to another project which uses a different SHA of the test runner, I run into this problem

zane16:03:15

I recall there’s a way to get clj / clojure to include its own dependencies in -Stree, but I don’t remember what it was. Could someone remind me?

seancorfield17:03:38

@zane If you use -Sdeps, they'll be included in -Stree I believe. If you use -X:deps tree they won't, as I recall.

zane17:03:56

Hmm. Like so? All I’m seeing is spec.

❯ clojure -Stree -Sdeps '{}'
org.clojure/clojure 1.10.2
  . org.clojure/spec.alpha 0.2.194
  . org.clojure/core.specs.alpha 0.2.56

seancorfield17:03:21

Oh, I misread your question. clj/`clojure` are shell scripts so they do not have dependencies, but what I think you mean is you want to see the tools.deps.alpha stuff?

(! 843)-> clojure -Stree -A:deps
org.clojure/clojure 1.10.2
  . org.clojure/spec.alpha 0.2.194
  . org.clojure/core.specs.alpha 0.2.56
org.clojure/tools.deps.alpha 0.10.889
  . org.apache.maven.resolver/maven-resolver-api 1.6.1
  . org.apache.maven.resolver/maven-resolver-spi 1.6.1
    . org.apache.maven.resolver/maven-resolver-api 1.6.1
  . org.apache.maven.resolver/maven-resolver-impl 1.6.1
    . org.apache.maven.resolver/maven-resolver-api 1.6.1
    . org.apache.maven.resolver/maven-resolver-spi 1.6.1
    . org.apache.maven.resolver/maven-resolver-util 1.6.1
    . org.apache.commons/commons-lang3 3.8.1
    . org.slf4j/slf4j-api 1.7.30 :newer-version
  . org.apache.maven.resolver/maven-resolver-util 1.6.1
... and a screenful more ...

zane17:03:01

Probably! This is that issue I mentioned before where a third-party security scan is flagging Jetty as having vulnerabilities.

zane17:03:16

I’m trying to figure out which version of Jetty winds up being included in the .jars the clj and clojure shell scripts rely on.

zane17:03:25

I think what you posted above does what I want.

zane17:03:12

The vulnerability they’re worried about was fixed in org.eclipse.jetty_jetty-io 9.4.36, but alas it looks like tools.deps still relies on org.eclipse.jetty/jetty-io 9.4.24.v20191120.

Alex Miller (Clojure team)18:03:18

the chain of deps down to that can be upgraded to address that, just hasn't yet

Alex Miller (Clojure team)18:03:31

or that is, it has been, but tools.deps isn't using it yet

Alex Miller (Clojure team)18:03:39

but I will get that in the next build

seancorfield18:03:06

@zane That vulnerability is in the server or the client portion of that library? ISTR that t.d.a uses only the non-vulnerable part of Jetty (we had this discussion already, didn't we?)

Alex Miller (Clojure team)18:03:46

I don't think it's an issue, but upgrading regardless

Alex Miller (Clojure team)18:03:06

committed, will be in next build

zane18:03:44

It’s definitely not a real issue, but thank you all the same @U064X3EF3!

zane18:03:55

@U04V70XH6 > That vulnerability is in the server or the client portion of that library? Server. > we had this discussion already, didn’t we? We sure did. Our partner’s security team keeps flagging this issue even though in the past they’ve accepted our explanation that our software doesn’t use Jetty’s web server. 😩

seancorfield18:03:40

Sorry 😞 Some of those security folks can be... a bit intransigent...

zane18:03:39

Yeah, I mean, I understand their position but it’s definitely a hassle.

2021-03-09

Channels