From 69af10b002b5f9f5f50966f83ea1761b375bb8a9 Mon Sep 17 00:00:00 2001 From: Broad Bot <61600560+broadbot@users.noreply.github.com> Date: Tue, 12 Nov 2024 06:53:12 -0800 Subject: [PATCH 1/9] CORE-69: Update logback-classic from 1.5.10 to 1.5.12 (#3100) --- automation/project/Dependencies.scala | 2 +- project/Dependencies.scala | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/project/Dependencies.scala b/automation/project/Dependencies.scala index 9186008d14..4866223ead 100644 --- a/automation/project/Dependencies.scala +++ b/automation/project/Dependencies.scala @@ -39,7 +39,7 @@ object Dependencies { "com.fasterxml.jackson.core" % "jackson-databind" % jacksonV, "com.fasterxml.jackson.core" % "jackson-core" % jacksonV, "com.fasterxml.jackson.module" % ("jackson-module-scala_" + scalaV) % jacksonV, - "ch.qos.logback" % "logback-classic" % "1.5.10", + "ch.qos.logback" % "logback-classic" % "1.5.12", "net.logstash.logback" % "logstash-logback-encoder" % "6.6", "com.google.apis" % "google-api-services-oauth2" % "v1-rev112-1.22.0" excludeAll ( ExclusionRule("com.google.guava", "guava-jdk5"), diff --git a/project/Dependencies.scala b/project/Dependencies.scala index 52e32edad8..83143e4e69 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -69,7 +69,7 @@ object Dependencies { val webjarsLocator: ModuleID = "org.webjars" % "webjars-locator" % "0.52" val commonsJEXL: ModuleID = "org.apache.commons" % "commons-jexl" % "2.1.1" val cats: ModuleID = "org.typelevel" %% "cats-core" % "2.12.0" - val logbackClassic: ModuleID = "ch.qos.logback" % "logback-classic" % "1.5.10" + val logbackClassic: ModuleID = "ch.qos.logback" % "logback-classic" % "1.5.12" val scalaUri: ModuleID = "io.lemonlabs" %% "scala-uri" % "3.0.0" val scalatest: ModuleID = "org.scalatest" %% "scalatest" % "3.2.19" % "test" val mockito: ModuleID = "org.scalatestplus" %% "mockito-4-2" % "3.2.11.0" % Test From 5031dcb45b243334f113fd510ef8b8c0f2e6b5bf Mon Sep 17 00:00:00 2001 From: Broad Bot <61600560+broadbot@users.noreply.github.com> Date: Tue, 12 Nov 2024 07:26:15 -0800 Subject: [PATCH 2/9] CORE-69: Update sentry-logback from 7.15.0 to 7.16.0 (#3101) --- project/Dependencies.scala | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/Dependencies.scala b/project/Dependencies.scala index 83143e4e69..28e423543c 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -65,7 +65,7 @@ object Dependencies { val jodaTime: ModuleID = "joda-time" % "joda-time" % "2.13.0" val jodaConvert: ModuleID = "org.joda" % "joda-convert" % "2.2.4" val typesafeConfig: ModuleID = "com.typesafe" % "config" % "1.4.3" - val sentryLogback: ModuleID = "io.sentry" % "sentry-logback" % "7.15.0" + val sentryLogback: ModuleID = "io.sentry" % "sentry-logback" % "7.16.0" val webjarsLocator: ModuleID = "org.webjars" % "webjars-locator" % "0.52" val commonsJEXL: ModuleID = "org.apache.commons" % "commons-jexl" % "2.1.1" val cats: ModuleID = "org.typelevel" %% "cats-core" % "2.12.0" From e65fd78400d9dbeb1ad137baaeb4d3dfd1db55e2 Mon Sep 17 00:00:00 2001 From: Broad Bot <61600560+broadbot@users.noreply.github.com> Date: Tue, 12 Nov 2024 08:05:34 -0800 Subject: [PATCH 3/9] CORE-69: Update swagger-parser-v3 from 2.1.22 to 2.1.23 (#3102) Co-authored-by: trholdridge <37459148+trholdridge@users.noreply.github.com> --- project/Dependencies.scala | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/Dependencies.scala b/project/Dependencies.scala index 28e423543c..5f3f8a20b8 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -148,7 +148,7 @@ object Dependencies { val kindProjector = compilerPlugin(("org.typelevel" %% "kind-projector" % "0.13.3").cross(CrossVersion.full)) val betterMonadicFor = compilerPlugin("com.olegpy" %% "better-monadic-for" % "0.3.1") - val openApiParser: ModuleID = "io.swagger.parser.v3" % "swagger-parser-v3" % "2.1.22" + val openApiParser: ModuleID = "io.swagger.parser.v3" % "swagger-parser-v3" % "2.1.23" // Overrides for transitive dependencies. These apply - via Settings.scala - to all projects in this codebase. // These are overrides only; if the direct dependencies stop including any of these, they will not be included From 226fad77a244023b4b8c17788b047a16b0315f4d Mon Sep 17 00:00:00 2001 From: Broad Bot <61600560+broadbot@users.noreply.github.com> Date: Tue, 12 Nov 2024 08:40:14 -0800 Subject: [PATCH 4/9] CORE-69: Update jackson-core from 2.18.0 to 2.18.1 (#3112) Co-authored-by: trholdridge <37459148+trholdridge@users.noreply.github.com> --- automation/project/Dependencies.scala | 2 +- project/Dependencies.scala | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/project/Dependencies.scala b/automation/project/Dependencies.scala index 4866223ead..26fccfd035 100644 --- a/automation/project/Dependencies.scala +++ b/automation/project/Dependencies.scala @@ -5,7 +5,7 @@ object Dependencies { val akkaV = "2.6.8" val akkaHttpV = "10.2.0" - val jacksonV = "2.18.0" + val jacksonV = "2.18.1" val workbenchLibsHash = "80e4b8d" val serviceTestV = s"5.0-${workbenchLibsHash}" diff --git a/project/Dependencies.scala b/project/Dependencies.scala index 5f3f8a20b8..312d3903b0 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -61,7 +61,7 @@ object Dependencies { val metricsStatsd: ModuleID = "com.readytalk" % "metrics3-statsd" % "4.2.0" val scalaLogging: ModuleID = "com.typesafe.scala-logging" %% "scala-logging" % "3.9.5" - val jacksonCore: ModuleID = "com.fasterxml.jackson.core" % "jackson-core" % "2.18.0" + val jacksonCore: ModuleID = "com.fasterxml.jackson.core" % "jackson-core" % "2.18.1" val jodaTime: ModuleID = "joda-time" % "joda-time" % "2.13.0" val jodaConvert: ModuleID = "org.joda" % "joda-convert" % "2.2.4" val typesafeConfig: ModuleID = "com.typesafe" % "config" % "1.4.3" From 482951634497227481da825921b6a160b26f58cb Mon Sep 17 00:00:00 2001 From: Marc Talbott Date: Tue, 12 Nov 2024 12:28:56 -0500 Subject: [PATCH 5/9] [CORE-153] Change Scala Steward settings for fewer PRs (#3121) * group patch and minor updates, smaller limit on new PRs, less frequent updating * change title --- .scala-steward.conf | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/.scala-steward.conf b/.scala-steward.conf index 322bfc5410..e8a308ddaa 100644 --- a/.scala-steward.conf +++ b/.scala-steward.conf @@ -30,6 +30,39 @@ pullRequests.frequency = "0 0 ? * MON" # every monday at midnight # Defaults to no labels (no labels are added). pullRequests.customLabels = [ "Scala_Steward" ] +# pullRequests.grouping allows you to specify how Scala Steward should group +# your updates in order to reduce the number of pull-requests. +# +# Updates will be placed in the first group with which they match, starting +# from the first in the array. Those that do not match any group will follow +# the default procedure (one PR per update). +# +# Each element in the array will have the following schema: +# +# - name (mandatory): the name of the group, will be used for things like naming the branch +# - title (optional): if provided it will be used as the title for the PR +# - filter (mandatory): a non-empty list containing the filters to use to know +# if an update falls into this group. +# +# `filter` properties would have this format: +# +# { +# version = "major" | "minor" | "patch" | "pre-release" | "build-metadata", +# group = "{group}", +# artifact = "{artifact}" +# } +# +# For more information on the values for the `version` filter visit https://semver.org/ +# +# Every field in a `filter` is optional but at least one must be provided. +# +# For grouping every update together a filter like {group = "*"} can be # provided. +# +# To create a new PR for each unique combination of artifact-versions, include ${hash} in the name. +# +# Default: [] +pullRequests.grouping = [ { name = "minor_patch", title = "CORE-69: Minor and patch updates - ${artifactVersions}", filter = [ { version = "minor" }, { version = "patch" } ] } ] + # Only these dependencies which match the given patterns are updated. # # Each pattern must have `groupId`, and may have `artifactId` and `version`. @@ -53,7 +86,7 @@ pullRequests.customLabels = [ "Scala_Steward" ] # If set, Scala Steward will only create or update `n` PRs each time it runs (see `pullRequests.frequency` above). # Useful if running frequently and/or CI build are costly # Default: None -updates.limit = 10 +updates.limit = 5 # The extensions of files that should be updated. # Default: [".scala", ".sbt", ".sbt.shared", ".sc", ".yml", "pom.xml"] @@ -65,7 +98,7 @@ updates.limit = 10 # you don't change it yourself. # If "never", Scala Steward will never update the PR # Default: "on-conflicts" -updatePullRequests = "always" +updatePullRequests = "on-conflicts" # If set, Scala Steward will use this message template for the commit messages and PR titles. # Supported variables: ${artifactName}, ${currentVersion}, ${nextVersion} and ${default} From 99cdeafc504a2e73ff2c97819bfd0762d3446235 Mon Sep 17 00:00:00 2001 From: Broad Bot <61600560+broadbot@users.noreply.github.com> Date: Tue, 12 Nov 2024 10:06:18 -0800 Subject: [PATCH 6/9] CORE-69: Update sam-client from v0.0.296 to v0.0.306 (#3127) --- project/Dependencies.scala | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/Dependencies.scala b/project/Dependencies.scala index 312d3903b0..df67255f22 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -133,7 +133,7 @@ object Dependencies { val resourceBufferService = clientLibExclusions("bio.terra" % "terra-resource-buffer-client" % "0.198.42-SNAPSHOT") val billingProfileManager = clientLibExclusions("bio.terra" % "billing-profile-manager-client" % "0.1.584-SNAPSHOT") val terraCommonLib = tclExclusions(clientLibExclusions("bio.terra" % "terra-common-lib" % "0.1.23-SNAPSHOT" classifier "plain")) - val sam: ModuleID = clientLibExclusions("org.broadinstitute.dsde.workbench" %% "sam-client" % "v0.0.296") + val sam: ModuleID = clientLibExclusions("org.broadinstitute.dsde.workbench" %% "sam-client" % "v0.0.306") val leonardo: ModuleID = "org.broadinstitute.dsde.workbench" % "leonardo-client_2.13" % "1.3.6-2e87300" // OpenTelemetry From 986b6fdface738d9c69bdd6fee9ab9ed900e1eac Mon Sep 17 00:00:00 2001 From: David An Date: Tue, 12 Nov 2024 13:33:48 -0500 Subject: [PATCH 7/9] update transitive dependency overrides (#3130) --- project/Dependencies.scala | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/project/Dependencies.scala b/project/Dependencies.scala index df67255f22..16b3c44b8b 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -155,10 +155,8 @@ object Dependencies { // in Rawls by being listed here. // One reason to specify an override here is to avoid static-analysis security warnings. val transitiveDependencyOverrides = Seq( - //Override for reactor-netty to address CVE-2023-34054 and CVE-2023-34062 - "io.projectreactor.netty" % "reactor-netty-http" % "1.0.39", // override commons-codec to address a non-CVE warning from DefectDojo - "commons-codec" % "commons-codec" % "1.16.1" + "commons-codec" % "commons-codec" % "1.17.1" ) val extraOpenTelemetryDependencies = Seq( From 7e01d2980fb208687e557c69f6e98bda3ff3880e Mon Sep 17 00:00:00 2001 From: Broad Bot <61600560+broadbot@users.noreply.github.com> Date: Tue, 12 Nov 2024 11:11:13 -0800 Subject: [PATCH 8/9] CORE-69: Update google-cloud-nio from 0.127.25 to 0.127.26 (#3113) Co-authored-by: David An --- project/Dependencies.scala | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/Dependencies.scala b/project/Dependencies.scala index 16b3c44b8b..c862334b6b 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -105,7 +105,7 @@ object Dependencies { val workbenchOauth2: ModuleID = "org.broadinstitute.dsde.workbench" %% "workbench-oauth2" % workbenchOauth2V val workbenchOauth2Tests: ModuleID = "org.broadinstitute.dsde.workbench" %% "workbench-oauth2" % workbenchOauth2V % "test" classifier "tests" - val googleStorageLocal: ModuleID = "com.google.cloud" % "google-cloud-nio" % "0.127.25" % "test" + val googleStorageLocal: ModuleID = "com.google.cloud" % "google-cloud-nio" % "0.127.26" % "test" val workbenchUtil: ModuleID = "org.broadinstitute.dsde.workbench" %% "workbench-util" % s"0.10-${workbenchLibsHash}" From dc114847de85985197deb63d42b0bdec38d599a6 Mon Sep 17 00:00:00 2001 From: Broad Bot <61600560+broadbot@users.noreply.github.com> Date: Tue, 12 Nov 2024 12:28:11 -0800 Subject: [PATCH 9/9] CORE-69: Update metrics4-scala from 4.3.2 to 4.3.3 (#3092) Co-authored-by: David An --- project/Dependencies.scala | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/Dependencies.scala b/project/Dependencies.scala index c862334b6b..43283869a6 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -57,7 +57,7 @@ object Dependencies { // rawlsCoreDependencies, does not need these. As of this writing, metrics4-scala and metrics3-statsd are only // needed by the metrics subproject of Rawls. // metrics-scala transitively pulls in io.dropwizard.metrics:metrics-core - val metricsScala: ModuleID = "nl.grons" %% "metrics4-scala" % "4.3.2" + val metricsScala: ModuleID = "nl.grons" %% "metrics4-scala" % "4.3.3" val metricsStatsd: ModuleID = "com.readytalk" % "metrics3-statsd" % "4.2.0" val scalaLogging: ModuleID = "com.typesafe.scala-logging" %% "scala-logging" % "3.9.5"