Skip to content

UNOMI-875: PR2 dependency hygiene (E1 + E2)#795

Merged
sergehuber merged 13 commits into
masterfrom
UNOMI-875-pr2-dependency-hygiene
Jul 2, 2026
Merged

UNOMI-875: PR2 dependency hygiene (E1 + E2)#795
sergehuber merged 13 commits into
masterfrom
UNOMI-875-pr2-dependency-hygiene

Conversation

@sergehuber

@sergehuber sergehuber commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Plain-language summary

This PR updates libraries and build tools used by Unomi before the 3.1 release. It fixes known security issues in npm packages and the Kafka client, moves the front-end build to a supported Node version, and removes CI warnings about old GitHub Actions runtimes.

It also fixes small bugs found while testing: a race in Groovy action cache cleanup and a Kafka API change after the client bump.

Log4j and OpenCSV are not included. Log4j 2.24.0 was tried but broke the Elasticsearch client OSGi bundle, so it stays at 2.19.0 until PR3 (Karaf + ES/OS + log4j upgrade).

What changed

Front-end (E1)

Build toolchain

  • Root pom.xml: frontend-maven-plugin 1.12.1 → 2.0.1, Node v16.20.2 → v22.19.0, Yarn v1.22.19 → v1.22.22.
  • Child pom.xml files for wab and graphql-ui inherit these versions (no local overrides).

Java libraries (E2)

Fixes found during the upgrade

  • plugins/kafka-injector: use poll(Duration) instead of the removed poll(long) API.
  • GroovyActionsServiceImpl: fix a race between cache refresh and remove in multi-tenant Groovy actions (stale script could stay in memory).

CI

  • Upgrade GitHub Actions to Node.js 24 runtimes: checkout@v5, setup-java@v5, upload-artifact@v6.

Deferred to PR3 (Karaf + ES/OS + log4j)

Skipped / already OK

Test plan

  • yarn build in extensions/web-tracker/wab
  • yarn build in graphql/graphql-ui
  • mvn -pl graphql/graphql-ui -am generate-resources
  • mvn -pl persistence-elasticsearch/core -am -DskipTests package (after log4j revert)
  • ./build.sh --ci (local)
  • GitHub Actions: unit tests + integration tests (Elasticsearch and OpenSearch)

References

UNOMI-875 · Dependabot #554, #566, #635, #671, #674

sergehuber added 13 commits July 1, 2026 13:31
Resolve Dependabot advisories for decode-uri-component, json5, semver, and upgrade Babel toolchain.
Addresses Dependabot #634 in the GraphiQL UI module.
Align root kafka-client.version with Dependabot #674; kafka-injector uses BOM-managed version.
Align root log4j.version with Dependabot #692 across BOM-managed modules.
Log4j 2.24 embeds two OSGi activators; remove the header so the Felix bundle plugin can build.
Log4j 2.24 JARs carry conflicting Bundle-Activator headers when embedded; use platform log4j instead.
Use frontend-maven-plugin 2.0.1, Node v22.19.0, and Yarn 1.22.22 from root pom; remove per-module plugin version drift.
… build.

core-js-compat requires semver 7 subpaths; blanket resolutions break webpack/babel-loader.
…olution, fix poll(Duration).

- graphql-ui: bump @babel/core|preset-env|preset-react ^7.10.4 → ^7.24.0
- graphql-ui: remove **/postcss 7.0.39 resolution (direct dep already at ^8.4.28)
- kafka-injector: replace deprecated KafkaConsumer.poll(long) with poll(Duration)
… testMultiTenantIsolation.

The cache-refresh scheduler fires every 1 000 ms and runs processGroovyActionForCache()
under the type-refresh write lock.  The old remove() stripped the entry from
scriptMetadataCacheByTenant before calling removeItem(), so a concurrent refresh
could re-insert the entry between that early removal and the locked persistence
delete, leaving getCompiledScript() with a stale class reference.

Fix: add a protected onItemRemoved() hook to AbstractMultiTypeCachingService that
is invoked inside removeItem() while the read lock is held (mutually exclusive
with the refresh write lock).  GroovyActionsServiceImpl overrides this hook to
remove from scriptMetadataCacheByTenant, guaranteeing the entry is gone by the
time any subsequent getCompiledScript() call runs.
Bump checkout and setup-java to v5 and upload-artifact to v6 so CI
jobs no longer run node20 actions on forced node24 runners.
Log4j 2.24.0 breaks the Elasticsearch client OSGi bundle. Defer #692
with the platform upgrade in PR3.
@sergehuber sergehuber merged commit ef10dfe into master Jul 2, 2026
7 checks passed
@sergehuber sergehuber deleted the UNOMI-875-pr2-dependency-hygiene branch July 2, 2026 07:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant