New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump org.apache.commons:commons-configuration2 from 2.9.0 to 2.10.1 #9430
base: main
Are you sure you want to change the base?
Bump org.apache.commons:commons-configuration2 from 2.9.0 to 2.10.1 #9430
Conversation
@dependabot rebase |
34252d2
to
948dbf8
Compare
@dependabot rebase |
948dbf8
to
cc2ad68
Compare
@dependabot rebase |
cc2ad68
to
d30d520
Compare
@abollini and @LucaGiamminonni : For some strange reason, this minor update to Could one of you find time to dig into this issue? It almost seems like a possible bug in either
|
@LucaGiamminonni and @abollini : I dug into this a bit more yesterday. I cannot get the It seems like, after updating I've had difficulty figuring out why these errors are occurring, but they are reproducible locally and in GitHub CI. If possible, I need help/support on fixing this. We need to find a way to safely upgrade Assigning this PR to both of you, as I think you'll have an easier time that I on this. It's not obvious to me what the "external-id.required" error means or why it's being thrown in this scenario. It might be a sign of a bug in the code, or a broken IT. It's mysterious to me why upgrading |
@dependabot rebase |
Bumps org.apache.commons:commons-configuration2 from 2.9.0 to 2.10.1. --- updated-dependencies: - dependency-name: org.apache.commons:commons-configuration2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
d30d520
to
df7220b
Compare
@abollini : After further investigation, I've determined that the failures in this PR appear to be a change in behavior for Apache Commons Configuration v2. Specifically, the issue appears to be a problem loading an array of values out of a configuration file into a Spring Bean. Let me explain:
In other words, the only way I've found to fix the
However, that implies to me that we have an issue with upgrading SUMMARY: This upgrade to However, I don't believe DSpace is vulnerable to the security issues fixed in |
To determine the source of the issue, I attempted a refactor to pull in multi-valued configurations via
Unfortunately, that doesn't work either & only the first value is imported into the I've reported this issue on the PR which I believe may have caused this behavior change: apache/commons-configuration#309 (comment) Will move this report to the Apache Commons Configuration JIRA once I've been given permissions to do so. |
Bumps org.apache.commons:commons-configuration2 from 2.9.0 to 2.10.1.
You can trigger a rebase of this PR by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditions
will show all of the ignore conditions of the specified dependency@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.