DMC/scipro
7
0
Fork 0
Code Issues 27 Pull Requests 4 Actions Projects 1 Wiki Activity

Remove or minimize the number of dependencies #108

New Issue
Open
opened 2025-02-12 14:02:05 +01:00 by ansv7779 · 0 comments
ansv7779 commented 2025-02-12 14:02:05 +01:00
Owner
Copy Link

While it is not a good idea to reinvent the wheel over and over it is also not a good idea to add every dependency there is. There is overhead for every dependency added where at a minimum they all require regular version upgrades. And every time they are updated something may break as just happened in #107.

Having a huge number of dependencies also makes it harder to write new code since the suggestions provided by the editor includes all classes from every dependency. If I try to add a new label (the way you display text in Wicket) I will get six suggestions of different labels and the correct one is the fifth suggestion. This can be minimized by utilizing Java's module system to only make the relevant (direct) dependencies available to SciPro's code rather than including transitive ones as well.

There are also somewhat regular security holes popping up, not all are relevant of course, but every one must be evaluated and dealt with.

With the introduction Spring in #5 it comes with a lot of batteries included where we could potentially eliminate many other dependencies and use the provided functionality instead. It is also a large, well-known, and well-maintained library reducing the risk of unpatched security holes.

The list of dependencies is long and provide a lot of functionality, very little is used directly by SciPro and a lot are what is known as transitive dependencies (dependencies of SciPro's direct dependencies). It is possible, by analyzing what SciPro needs, to exclude some of these transitive dependencies but this is a potential brittle action since something that looks usable isn't because its dependencies have been excluded.

Here's a complete list of all the current libraries in use by SciPro (156 total)

accessors-smart-2.5.1.jar
angus-activation-2.0.2.jar
antlr4-runtime-4.13.0.jar
aopalliance-repackaged-3.0.6.jar
api-0.1-SNAPSHOT.jar
asm-9.7.1.jar
bootstrap-5.3.2.jar
byte-buddy-1.15.11.jar
caffeine-3.1.8.jar
checker-qual-3.33.0.jar
classmate-1.7.0.jar
commons-beanutils-1.9.4.jar
commons-codec-1.17.1.jar
commons-collections-3.2.2.jar
commons-collections4-4.4.jar
commons-compress-1.25.0.jar
commons-digester-2.1.jar
commons-fileupload2-core-2.0.0-M2.jar
commons-fileupload2-jakarta-servlet5-2.0.0-M2.jar
commons-io-2.15.0.jar
commons-lang3-3.17.0.jar
commons-logging-1.1.1.jar
commons-math3-3.6.1.jar
content-type-2.2.jar
core-0.1-SNAPSHOT.jar
curvesapi-1.08.jar
ecj-3.21.0.jar
error_prone_annotations-2.18.0.jar
failureaccess-1.0.1.jar
flyway-core-9.19.1.jar
flyway-mysql-9.19.1.jar
gson-2.11.0.jar
guava-32.0.1-jre.jar
hibernate-commons-annotations-6.0.6.Final.jar
hibernate-core-6.5.0.Final.jar
hk2-api-3.0.6.jar
hk2-locator-3.0.6.jar
hk2-utils-3.0.6.jar
istack-commons-runtime-4.1.2.jar
j2objc-annotations-2.8.jar
jackson-annotations-2.18.2.jar
jackson-core-2.18.2.jar
jackson-databind-2.18.2.jar
jackson-dataformat-xml-2.18.2.jar
jackson-dataformat-yaml-2.18.2.jar
jackson-datatype-jdk8-2.18.2.jar
jackson-datatype-jsr310-2.18.2.jar
jackson-module-jakarta-xmlbind-annotations-2.18.2.jar
jackson-module-parameter-names-2.18.2.jar
jakarta.activation-api-2.1.3.jar
jakarta.annotation-api-2.1.1.jar
jakarta.inject-api-2.0.1.jar
jakarta.mail-2.0.2.jar
jakarta.mail-api-2.1.3.jar
jakarta.persistence-api-3.1.0.jar
jakarta.transaction-api-2.0.1.jar
jakarta.validation-api-3.0.2.jar
jakarta.ws.rs-api-3.1.0.jar
jakarta.xml.bind-api-4.0.2.jar
jandex-3.1.2.jar
jasperreports-6.21.3.jar
javassist-3.30.2-GA.jar
javax.inject-1.jar
jaxb-core-4.0.5.jar
jaxb-runtime-4.0.5.jar
jboss-logging-3.6.1.Final.jar
jcip-annotations-1.0-1.jar
jcl-over-slf4j-2.0.7.jar
jcommon-1.0.23.jar
jdk-serializable-functional-1.9.0.jar
jersey-client-3.1.9.jar
jersey-common-3.1.9.jar
jersey-entity-filtering-3.1.9.jar
jersey-hk2-3.1.9.jar
jersey-media-jaxb-3.1.9.jar
jersey-media-json-jackson-3.1.9.jar
jfreechart-1.0.19.jar
jna-5.12.1.jar
jna-platform-5.12.1.jar
json-smart-2.5.1.jar
jspecify-1.0.0.jar
jsr305-3.0.2.jar
lang-tag-1.7.jar
listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
log4j-api-2.24.3.jar
log4j-core-2.24.3.jar
log4j-jakarta-smtp-2.24.3.jar
log4j-jul-2.24.3.jar
log4j-slf4j2-impl-2.24.3.jar
mariadb-java-client-3.2.0.jar
micrometer-commons-1.14.2.jar
micrometer-observation-1.14.2.jar
mysema-commons-lang-0.2.4.jar
nimbus-jose-jwt-9.37.3.jar
oauth2-oidc-sdk-9.43.4.jar
openjson-1.0.13.jar
openpdf-1.3.30.jar
osgi-resource-locator-1.0.3.jar
poi-5.2.5.jar
poi-ooxml-5.2.5.jar
poi-ooxml-lite-5.2.5.jar
querydsl-core-5.1.0.jar
querydsl-jpa-5.0.0-jakarta.jar
slf4j-api-2.0.7.jar
snakeyaml-2.3.jar
SparseBitSet-1.3.jar
spring-aop-6.2.1.jar
spring-beans-6.2.1.jar
spring-boot-3.4.1.jar
spring-boot-autoconfigure-3.4.1.jar
spring-boot-starter-3.4.1.jar
spring-boot-starter-json-3.4.1.jar
spring-boot-starter-log4j2-3.4.1.jar
spring-boot-starter-oauth2-client-3.4.1.jar
spring-boot-starter-oauth2-resource-server-3.4.1.jar
spring-boot-starter-security-3.4.1.jar
spring-boot-starter-web-3.4.1.jar
spring-context-6.2.1.jar
spring-core-6.2.1.jar
spring-expression-6.2.1.jar
spring-jcl-6.2.1.jar
spring-jdbc-6.2.1.jar
spring-orm-6.2.1.jar
spring-security-config-6.4.2.jar
spring-security-core-6.4.2.jar
spring-security-crypto-6.4.2.jar
spring-security-oauth2-client-6.4.2.jar
spring-security-oauth2-core-6.4.2.jar
spring-security-oauth2-jose-6.4.2.jar
spring-security-oauth2-resource-server-6.4.2.jar
spring-security-web-6.4.2.jar
spring-tx-6.2.1.jar
spring-web-6.2.1.jar
spring-webmvc-6.2.1.jar
springdoc-openapi-starter-common-2.8.3.jar
springdoc-openapi-starter-webmvc-api-2.8.3.jar
springdoc-openapi-starter-webmvc-ui-2.8.3.jar
stax2-api-4.2.2.jar
swagger-annotations-jakarta-2.2.27.jar
swagger-core-jakarta-2.2.27.jar
swagger-models-jakarta-2.2.27.jar
swagger-ui-5.18.2.jar
txw2-4.0.5.jar
waffle-jna-3.2.0.jar
webjars-locator-lite-1.0.1.jar
wicket-core-10.4.0.jar
wicket-extensions-10.4.0.jar
wicket-ioc-10.4.0.jar
wicket-request-10.4.0.jar
wicket-spring-10.4.0.jar
wicket-util-10.4.0.jar
wicket-webjars-3.0.7.jar
wicketstuff-jasperreports-10.4.0.jar
wicketstuff-select2-10.4.0.jar
woodstox-core-7.0.0.jar
xmlbeans-5.2.0.jar
While it is not a good idea to reinvent the wheel over and over it is also not a good idea to add every dependency there is. There is overhead for every dependency added where at a minimum they all require regular version upgrades. And every time they are updated something may break as just happened in #107. Having a huge number of dependencies also makes it harder to write new code since the suggestions provided by the editor includes *all* classes from every dependency. If I try to add a new label (the way you display text in Wicket) I will get *six* suggestions of different labels and the correct one is the fifth suggestion. This can be minimized by utilizing Java's module system to only make the relevant (direct) dependencies available to SciPro's code rather than including transitive ones as well. There are also somewhat regular security holes popping up, not all are relevant of course, but every one must be evaluated and dealt with. With the introduction Spring in #5 it comes with a lot of batteries included where we could potentially eliminate many other dependencies and use the provided functionality instead. It is also a large, well-known, and well-maintained library reducing the risk of unpatched security holes. The list of dependencies is long and provide a lot of functionality, very little is used directly by SciPro and a lot are what is known as transitive dependencies (dependencies of SciPro's direct dependencies). It is possible, by analyzing what SciPro needs, to exclude some of these transitive dependencies but this is a potential brittle action since something that looks usable isn't because its dependencies have been excluded. Here's a complete list of all the current libraries in use by SciPro (156 total) ``` accessors-smart-2.5.1.jar angus-activation-2.0.2.jar antlr4-runtime-4.13.0.jar aopalliance-repackaged-3.0.6.jar api-0.1-SNAPSHOT.jar asm-9.7.1.jar bootstrap-5.3.2.jar byte-buddy-1.15.11.jar caffeine-3.1.8.jar checker-qual-3.33.0.jar classmate-1.7.0.jar commons-beanutils-1.9.4.jar commons-codec-1.17.1.jar commons-collections-3.2.2.jar commons-collections4-4.4.jar commons-compress-1.25.0.jar commons-digester-2.1.jar commons-fileupload2-core-2.0.0-M2.jar commons-fileupload2-jakarta-servlet5-2.0.0-M2.jar commons-io-2.15.0.jar commons-lang3-3.17.0.jar commons-logging-1.1.1.jar commons-math3-3.6.1.jar content-type-2.2.jar core-0.1-SNAPSHOT.jar curvesapi-1.08.jar ecj-3.21.0.jar error_prone_annotations-2.18.0.jar failureaccess-1.0.1.jar flyway-core-9.19.1.jar flyway-mysql-9.19.1.jar gson-2.11.0.jar guava-32.0.1-jre.jar hibernate-commons-annotations-6.0.6.Final.jar hibernate-core-6.5.0.Final.jar hk2-api-3.0.6.jar hk2-locator-3.0.6.jar hk2-utils-3.0.6.jar istack-commons-runtime-4.1.2.jar j2objc-annotations-2.8.jar jackson-annotations-2.18.2.jar jackson-core-2.18.2.jar jackson-databind-2.18.2.jar jackson-dataformat-xml-2.18.2.jar jackson-dataformat-yaml-2.18.2.jar jackson-datatype-jdk8-2.18.2.jar jackson-datatype-jsr310-2.18.2.jar jackson-module-jakarta-xmlbind-annotations-2.18.2.jar jackson-module-parameter-names-2.18.2.jar jakarta.activation-api-2.1.3.jar jakarta.annotation-api-2.1.1.jar jakarta.inject-api-2.0.1.jar jakarta.mail-2.0.2.jar jakarta.mail-api-2.1.3.jar jakarta.persistence-api-3.1.0.jar jakarta.transaction-api-2.0.1.jar jakarta.validation-api-3.0.2.jar jakarta.ws.rs-api-3.1.0.jar jakarta.xml.bind-api-4.0.2.jar jandex-3.1.2.jar jasperreports-6.21.3.jar javassist-3.30.2-GA.jar javax.inject-1.jar jaxb-core-4.0.5.jar jaxb-runtime-4.0.5.jar jboss-logging-3.6.1.Final.jar jcip-annotations-1.0-1.jar jcl-over-slf4j-2.0.7.jar jcommon-1.0.23.jar jdk-serializable-functional-1.9.0.jar jersey-client-3.1.9.jar jersey-common-3.1.9.jar jersey-entity-filtering-3.1.9.jar jersey-hk2-3.1.9.jar jersey-media-jaxb-3.1.9.jar jersey-media-json-jackson-3.1.9.jar jfreechart-1.0.19.jar jna-5.12.1.jar jna-platform-5.12.1.jar json-smart-2.5.1.jar jspecify-1.0.0.jar jsr305-3.0.2.jar lang-tag-1.7.jar listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar log4j-api-2.24.3.jar log4j-core-2.24.3.jar log4j-jakarta-smtp-2.24.3.jar log4j-jul-2.24.3.jar log4j-slf4j2-impl-2.24.3.jar mariadb-java-client-3.2.0.jar micrometer-commons-1.14.2.jar micrometer-observation-1.14.2.jar mysema-commons-lang-0.2.4.jar nimbus-jose-jwt-9.37.3.jar oauth2-oidc-sdk-9.43.4.jar openjson-1.0.13.jar openpdf-1.3.30.jar osgi-resource-locator-1.0.3.jar poi-5.2.5.jar poi-ooxml-5.2.5.jar poi-ooxml-lite-5.2.5.jar querydsl-core-5.1.0.jar querydsl-jpa-5.0.0-jakarta.jar slf4j-api-2.0.7.jar snakeyaml-2.3.jar SparseBitSet-1.3.jar spring-aop-6.2.1.jar spring-beans-6.2.1.jar spring-boot-3.4.1.jar spring-boot-autoconfigure-3.4.1.jar spring-boot-starter-3.4.1.jar spring-boot-starter-json-3.4.1.jar spring-boot-starter-log4j2-3.4.1.jar spring-boot-starter-oauth2-client-3.4.1.jar spring-boot-starter-oauth2-resource-server-3.4.1.jar spring-boot-starter-security-3.4.1.jar spring-boot-starter-web-3.4.1.jar spring-context-6.2.1.jar spring-core-6.2.1.jar spring-expression-6.2.1.jar spring-jcl-6.2.1.jar spring-jdbc-6.2.1.jar spring-orm-6.2.1.jar spring-security-config-6.4.2.jar spring-security-core-6.4.2.jar spring-security-crypto-6.4.2.jar spring-security-oauth2-client-6.4.2.jar spring-security-oauth2-core-6.4.2.jar spring-security-oauth2-jose-6.4.2.jar spring-security-oauth2-resource-server-6.4.2.jar spring-security-web-6.4.2.jar spring-tx-6.2.1.jar spring-web-6.2.1.jar spring-webmvc-6.2.1.jar springdoc-openapi-starter-common-2.8.3.jar springdoc-openapi-starter-webmvc-api-2.8.3.jar springdoc-openapi-starter-webmvc-ui-2.8.3.jar stax2-api-4.2.2.jar swagger-annotations-jakarta-2.2.27.jar swagger-core-jakarta-2.2.27.jar swagger-models-jakarta-2.2.27.jar swagger-ui-5.18.2.jar txw2-4.0.5.jar waffle-jna-3.2.0.jar webjars-locator-lite-1.0.1.jar wicket-core-10.4.0.jar wicket-extensions-10.4.0.jar wicket-ioc-10.4.0.jar wicket-request-10.4.0.jar wicket-spring-10.4.0.jar wicket-util-10.4.0.jar wicket-webjars-3.0.7.jar wicketstuff-jasperreports-10.4.0.jar wicketstuff-select2-10.4.0.jar woodstox-core-7.0.0.jar xmlbeans-5.2.0.jar ```
ansv7779 added the
new
 label 2025-02-12 14:06:10 +01:00
andan removed the
new
 label 2025-02-13 13:26:50 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something is not working
discussion
duplicate
This issue or pull request already exists
enhancement
New feature
frozen
The issue is not solved, but it will be investigated in the future it the issue arises again
help wanted
Need some help
invalid
Something is wrong
new
To be discussed at the next meeting
po
approved
po
changes
PO has requested changes
po
needed
question
More information is needed
size
1
size
2
size
3
wontfix
This won't be fixed
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: DMC/scipro#108
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?