build(deps): bump io.github.jeremylong:open-vulnerability-clients from 7.3.2 to 9.0.1 #7630
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=80&v=4){kind=small}
Bumps [io.github.jeremylong:open-vulnerability-clients](https://github.com/jeremylong/vuln-tools) from 7.3.2 to 8.0.0. - [Release notes](https://github.com/jeremylong/vuln-tools/releases) - [Commits](https://github.com/jeremylong/vuln-tools/commits/v8.0.0) --- updated-dependencies: - dependency-name: io.github.jeremylong:open-vulnerability-clients dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
jeremylong
changed the title
boring-cyborg
bot
added
core
…ulnerability-clients-8.0.0
|
@nhumblot Think this could be merged too? Or is there a reason to not include it in a minor release of ODC? |
|
I felt this was a breaking change - so I was going to include it in the next major release. At least we should wait for the next minor release as opposed to the pending point release. |
|
While for the library it was a breaking release (split between CLI and the library code as separately released projects), I think for ODC it would not be a non-breaking change. AFAICT We're only adapting our internals and introducing two configuration properties (not exposed to the plugin configs) - one might consider the added properties a new feature for people using properties-file configurstion, so I can see how you may want to skip the revision level and wait for a feature release, though I would say for a proper feature it should be extended with extending the configurability in the gradle- and maven plugin configuration settings. |
|
Hi, Sorry for the late reply. I marked commit 8cc9ade with a I have to admit I did not manual test this part extensively. I am going to proceed additional testing and share with you if my initial thought was good or not. |
|
A newer version of io.github.jeremylong:open-vulnerability-clients exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged. |
|
I'll revisit this PR soon based on @aikebah's comment above and the recent release of 9.0.1 (although most of the changes in 9.0.1 are related to GHSA). |
…ulnerability-clients-8.0.0
nhumblot
changed the title
This supposition is invalid. This is not a blocker change as default values are hard-coded into Test conducted with a CLI packaged from commit 63575bb ( I removed the breaking change notification |
nhumblot
changed the title
Major version bump to 9.x.x is due to the removal of a public getter, which is not used by Dependency Check. I proposed to add it in this PR through 10de1bb. PR title has been changed. |
…ulnerability-clients-8.0.0
3 participants
Bumps io.github.jeremylong:open-vulnerability-clients from 7.3.2 to 8.0.0.
Release notes
Sourced from io.github.jeremylong:open-vulnerability-clients's releases.
Commits
You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)