Bulk dependency upgrades 2026-06-29 (branch_9x)#4570
Merged
Conversation
…g-runner to v2.9.1 (branch_9x)
…-repository Solr's GCS backup uses the HTTP transport, which never loads the gRPC-only metrics/monitoring stack. Exclude those transitive libs (and prune their license/checksum files) and implement the new Storage.moveBlob test override.
opentelemetry-exporter-sender-okhttp:1.63.0 requires okhttp 5.x, which consistent-versions enforces project-wide. Pin the whole com.squareup.okhttp3 family to 5.3.2 so mockwebserver (jwt-auth tests) and okhttp-sse (llm/langchain4j streaming) don't lag at 4.x and break against okhttp 5. okhttp 5.x splits its classes into okhttp-jvm, so declare it in jwt-auth and add mockwebserver3 license/checksum files.
google-cloud-bom 0.265.0 requires jackson 2.18.3, which consistent-versions forces onto classpaths. Aligning the jackson-bom pin (was 2.18.0) keeps the bom-managed configs consistent with the resolved version, fixing the jwt-auth analyzeTestClassesDependencies permitTestUnusedDeclared mismatch.
…h tests) bcpkix-jdk18on 1.84 reads two additional org.bouncycastle.* security properties during EC/ASN.1 initialization; grant getProperty access in both the test policy and the server security policy.
For each upgraded dependency, ensure a single changelog/unreleased entry reflecting the final merged version: removed intermediate-version duplicates, updated/renamed stale entries to the final version, and added entries for upgrades whose solrbot branch did not carry a changelog file.
Renovate selected the legacy Java-5-compatible -jdk5 artifact because Maven Central tags it as <latest>/<release>. Solr targets Java 21 and has no need for the JDK5 build, so pin to the standard 1.18.10 artifacts.
…ndomizedtesting' into deps-branch_9x-2026-06-29
…SaferTestName() randomizedtesting 2.9 appends the seed to test names as 'name[seed=[...]]' (no leading space), which leaked into test-derived collection/alias names and produced 'Invalid collection' errors (TestTlogReplica, TestPullReplica, etc.). Harden getSaferTestName() to also cut at the first '[', and switch the two direct getTestName() name builders (ZkStateReaderTest, CreateRoutedAliasTest) to getSaferTestName().
…he#4016) jackson 2.22's CBOR encoder (STRINGREF) is one byte/document more compact: TestRawResponseWriter (26->25) and TestCborDataFormat (210439->209339). Both tests still verify the encoded bytes round-trip via CborLoader, so the size reduction is benign. Deterministic and locale-independent.
Contributor
|
I am trying out this PR locally and just doing basic testing....
|
epugh
approved these changes
Jun 30, 2026
epugh
left a comment
Contributor
There was a problem hiding this comment.
LGTM. I listed in a comment the manual testing I did.
Contributor
|
Thank you for doing this! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Dependency upgrades — branch_9x branch (2026-06-29)
This is an AI assisted PR grouping dependency upgrade PRs that had all CI checks passing on
branch_9xas of 2026-06-29. It is NOT a backport of upgrades from main branch, since 9x requires java11 and have other contstraints, so the updates are independent.Lockfile was regenerated, license checksums updated, version-compatibility issues resolved, and the full test suite verified locally.
Successfully merged PRs
com.carrotsearch.randomizedtesting:*2.9.1io.dropwizard.metrics:*4.2.39org.apache.tika:*3.3.1com.google.protobuf:*4.35.1org.immutables:value-annotations2.12.2org.apache.commons:commons-configuration22.15.1org.slf4j:*2.0.18io.netty:netty*4.2.15.Finalcom.github.ben-manes.caffeine:caffeine3.2.4org.testcontainers:testcontainers*(major)2.0.5net.bytebuddy:*1.18.10org.bouncycastle:bcpkix-jdk18on1.84org.apache.kerby:*2.1.2software.amazon.awssdk:*2.46.18io.grpc:grpc-*1.82.1io.prometheus:prometheus*1.8.0biz.aQute.bnd:biz.aQute.bnd.annotation(major)7.3.0commons-codec:commons-codec1.22.0commons-io:commons-io2.22.0com.jayway.jsonpath:json-path2.10.0com.fasterxml.jackson:jackson-bom2.22.0dev.logchange(gradle plugin)1.19.15io.opentelemetry:opentelemetry-bom(+okhttp5.4.0)1.63.0com.google.cloud:google-cloud-bom0.265.0Notes
bcpkix-jdk18on1.84 reads two additionalorg.bouncycastle.*security properties during EC/ASN.1 init. GrantedgetPropertyaccess forec.max_f2m_field_sizeandasn1.max_cons_depthin bothgradle/testing/randomization/policies/solr-tests.policyandsolr/server/etc/security.policy(fixesJWTAuthPluginIntegrationTest).name[seed=[...]]with no leading space, which leaked into test-derived collection/alias names and causedInvalid collectionerrors (TestTlogReplica,TestPullReplica, …). HardenedgetSaferTestName()to also cut at the first[, and pointed the two directgetTestName()name-builders (ZkStateReaderTest,CreateRoutedAliasTest) at it.STRINGREF) encoder is one byte/document more compact, so two exact-size assertions needed updating —TestRawResponseWriter(26→25) andTestCborDataFormat(210439→209339). Both tests still verify the bytes round-trip viaCborLoader, so the reduction is benign. (Deterministic and locale-independent.)branch_9xCI failure (NoClassDefFoundError …internal/exemplar/ExemplarFilterinOtelTracerConfiguratorTest) was an OpenTelemetry version-convergence artifact of the old base branch; this PR already bundles otel 1.63.0, which relocates that class, so the conflict does not occur here.software.amazon.awssdk→ 2.46.18 andokhttp→ 5.4.0.net.bytebuddywas pinned to the standard1.18.10build rather than the-jdk5flavor Renovate auto-selected (Maven Central tags-jdk5aslatest; Solr targets Java 21 and doesn't need the Java 5 build).(branch_9x)suffixes from the title of a bunch of changelog files. Such suffixes are nice in PR titles, but makes no sense inCHANGELOG.md