Skip to content

Bulk dependency upgrades 2026-06-29 (branch_9x)#4570

Merged
janhoy merged 69 commits into
apache:branch_9xfrom
janhoy:deps-branch_9x-2026-06-29
Jun 30, 2026
Merged

Bulk dependency upgrades 2026-06-29 (branch_9x)#4570
janhoy merged 69 commits into
apache:branch_9xfrom
janhoy:deps-branch_9x-2026-06-29

Conversation

@janhoy

@janhoy janhoy commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Dependency upgrades — branch_9x branch (2026-06-29)

This is an AI assisted PR grouping dependency upgrade PRs that had all CI checks passing on branch_9x as of 2026-06-29. It is NOT a backport of upgrades from main branch, since 9x requires java11 and have other contstraints, so the updates are independent.

Lockfile was regenerated, license checksums updated, version-compatibility issues resolved, and the full test suite verified locally.

Successfully merged PRs

PR Dependency Version
#4494 com.carrotsearch.randomizedtesting:* 2.9.1
#4480 io.dropwizard.metrics:* 4.2.39
#4470 org.apache.tika:* 3.3.1
#4460 com.google.protobuf:* 4.35.1
#4456 org.immutables:value-annotations 2.12.2
#4439 org.apache.commons:commons-configuration2 2.15.1
#4438 org.slf4j:* 2.0.18
#4398 io.netty:netty* 4.2.15.Final
#4390 com.github.ben-manes.caffeine:caffeine 3.2.4
#4386 org.testcontainers:testcontainers* (major) 2.0.5
#4384 net.bytebuddy:* 1.18.10
#4382 org.bouncycastle:bcpkix-jdk18on 1.84
#4380 org.apache.kerby:* 2.1.2
#4379 software.amazon.awssdk:* 2.46.18
#4378 io.grpc:grpc-* 1.82.1
#4371 io.prometheus:prometheus* 1.8.0
#4360 biz.aQute.bnd:biz.aQute.bnd.annotation (major) 7.3.0
#4332 commons-codec:commons-codec 1.22.0
#4327 commons-io:commons-io 2.22.0
#4017 com.jayway.jsonpath:json-path 2.10.0
#4016 com.fasterxml.jackson:jackson-bom 2.22.0
#4015 dev.logchange (gradle plugin) 1.19.15
#3646 io.opentelemetry:opentelemetry-bom (+ okhttp 5.4.0) 1.63.0
#3589 com.google.cloud:google-cloud-bom 0.265.0

Notes

  • BouncyCastle / security policy: bcpkix-jdk18on 1.84 reads two additional org.bouncycastle.* security properties during EC/ASN.1 init. Granted getProperty access for ec.max_f2m_field_size and asn1.max_cons_depth in both gradle/testing/randomization/policies/solr-tests.policy and solr/server/etc/security.policy (fixes JWTAuthPluginIntegrationTest).
  • randomizedtesting 2.9.1 (Update dependency com.carrotsearch.randomizedtesting:randomizedtesting-runner to v2.9.1 (branch_9x) - autoclosed #4494): 2.9 appends the test seed to test names as name[seed=[...]] with no leading space, which leaked into test-derived collection/alias names and caused Invalid collection errors (TestTlogReplica, TestPullReplica, …). Hardened getSaferTestName() to also cut at the first [, and pointed the two direct getTestName() name-builders (ZkStateReaderTest, CreateRoutedAliasTest) at it.
  • jackson 2.22.0 (Update dependency com.fasterxml.jackson:jackson-bom to v2.22.0 (branch_9x) - autoclosed #4016): Jackson's CBOR (STRINGREF) encoder is one byte/document more compact, so two exact-size assertions needed updating — TestRawResponseWriter (26→25) and TestCborDataFormat (210439→209339). Both tests still verify the bytes round-trip via CborLoader, so the reduction is benign. (Deterministic and locale-independent.)
  • google-cloud-bom 0.265.0 (Update dependency com.google.cloud:google-cloud-bom to v0.265.0 (branch_9x) - abandoned #3589): No code change needed. Its branch_9x CI failure (NoClassDefFoundError …internal/exemplar/ExemplarFilter in OtelTracerConfiguratorTest) was an OpenTelemetry version-convergence artifact of the old base branch; this PR already bundles otel 1.63.0, which relocates that class, so the conflict does not occur here.
  • Follow-up minor/patch bumps: after grouping the above, a few were nudged to the latest patch available — software.amazon.awssdk → 2.46.18 and okhttp → 5.4.0. net.bytebuddy was pinned to the standard 1.18.10 build rather than the -jdk5 flavor Renovate auto-selected (Maven Central tags -jdk5 as latest; Solr targets Java 21 and doesn't need the Java 5 build).
  • I stripped (branch_9x) suffixes from the title of a bunch of changelog files. Such suffixes are nice in PR titles, but makes no sense in CHANGELOG.md

solrbot and others added 30 commits April 25, 2026 01:52
…-repository

Solr's GCS backup uses the HTTP transport, which never loads the gRPC-only
metrics/monitoring stack. Exclude those transitive libs (and prune their
license/checksum files) and implement the new Storage.moveBlob test override.
opentelemetry-exporter-sender-okhttp:1.63.0 requires okhttp 5.x, which
consistent-versions enforces project-wide. Pin the whole com.squareup.okhttp3
family to 5.3.2 so mockwebserver (jwt-auth tests) and okhttp-sse (llm/langchain4j
streaming) don't lag at 4.x and break against okhttp 5. okhttp 5.x splits its
classes into okhttp-jvm, so declare it in jwt-auth and add mockwebserver3
license/checksum files.
google-cloud-bom 0.265.0 requires jackson 2.18.3, which consistent-versions
forces onto classpaths. Aligning the jackson-bom pin (was 2.18.0) keeps the
bom-managed configs consistent with the resolved version, fixing the
jwt-auth analyzeTestClassesDependencies permitTestUnusedDeclared mismatch.
janhoy added 3 commits June 29, 2026 10:02
…h tests)

bcpkix-jdk18on 1.84 reads two additional org.bouncycastle.* security
properties during EC/ASN.1 initialization; grant getProperty access in
both the test policy and the server security policy.
For each upgraded dependency, ensure a single changelog/unreleased entry
reflecting the final merged version: removed intermediate-version duplicates,
updated/renamed stale entries to the final version, and added entries for
upgrades whose solrbot branch did not carry a changelog file.
janhoy added 11 commits June 30, 2026 01:46
Renovate selected the legacy Java-5-compatible -jdk5 artifact because
Maven Central tags it as <latest>/<release>. Solr targets Java 21 and has
no need for the JDK5 build, so pin to the standard 1.18.10 artifacts.
…ndomizedtesting' into deps-branch_9x-2026-06-29
…SaferTestName()

randomizedtesting 2.9 appends the seed to test names as 'name[seed=[...]]'
(no leading space), which leaked into test-derived collection/alias names and
produced 'Invalid collection' errors (TestTlogReplica, TestPullReplica, etc.).
Harden getSaferTestName() to also cut at the first '[', and switch the two
direct getTestName() name builders (ZkStateReaderTest, CreateRoutedAliasTest)
to getSaferTestName().
…he#4016)

jackson 2.22's CBOR encoder (STRINGREF) is one byte/document more compact:
TestRawResponseWriter (26->25) and TestCborDataFormat (210439->209339).
Both tests still verify the encoded bytes round-trip via CborLoader, so the
size reduction is benign. Deterministic and locale-independent.
@epugh

epugh commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

I am trying out this PR locally and just doing basic testing....

  • iTest all pass
  • failing unit tests on CI passes locally
  • Admin UI works
  • spot checked solr cli

@epugh epugh left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I listed in a comment the manual testing I did.

@janhoy janhoy merged commit c566e61 into apache:branch_9x Jun 30, 2026
4 of 5 checks passed
@janhoy janhoy deleted the deps-branch_9x-2026-06-29 branch June 30, 2026 19:53
@epugh

epugh commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Thank you for doing this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants