Bump parameterized-trigger from 2.39 to 2.43.1 #1369

dependabot · 2022-12-04T18:45:33Z

Bumps parameterized-trigger from 2.39 to 2.43.1.

Release notes

Sourced from parameterized-trigger's releases.

2.43

🚀 New features and improvements

Prepare for PNG icon removal from core (#230) @NotMyFault

📦 Dependency updates

Bump actions/setup-java from 2.3.1 to 2.4.0 (#228) @dependabot

Bump actions/cache from 2.1.6 to 2.1.7 (#227) @dependabot

Bump promoted-builds from 3.10 to 3.11 (#229) @dependabot

2.42

Fix flakiness in BuildTriggerTest (#226) @raul-arabaolaza

🚀 New features and improvements

Support env vars to define filePattern of FileBuildParameterFactory (#147) @gjabouley-invn

📦 Dependency updates

Bump actions/stale from 3 to 4 (#201) @dependabot

Bump bom-2.263.x from 872.v03c18fa35487 to 961.vf0c9f6f59827 (#218) @dependabot

Bump plugin from 4.19 to 4.31 (#224) @dependabot

Bump actions/setup-java from 2.3.0 to 2.3.1 (#217) @dependabot

Bump subversion from 2.14.4 to 2.15.1 (#223) @dependabot

Bump error_prone_annotations from 2.9.0 to 2.10.0 (#225) @dependabot

Bump error_prone_annotations from 2.7.1 to 2.9.0 (#212) @dependabot

Bump actions/setup-java from 2.1.0 to 2.3.0 (#211) @dependabot

Bump bom-2.263.x from 841.vd6e713d848ab to 872.v03c18fa35487 (#198) @dependabot

Bump subversion from 2.14.2 to 2.14.4 (#199) @dependabot

2.41

📦 Dependency updates

Bump promoted-builds from 3.7 to 3.10 (#191) @dependabot

Bump subversion from 2.14.1 to 2.14.2 (#194) @dependabot

Bump bom-2.263.x from 23 to 841.vd6e713d848ab (#195) @dependabot

Bump actions/setup-java from 1 to 2.1.0 (#189) @dependabot

Bump plugin from 4.18 to 4.19 (#193) @dependabot

Bump actions/cache from 2.1.5 to 2.1.6 (#192) @dependabot

Bump error_prone_annotations from 2.5.1 to 2.7.1 (#188) @dependabot

Bump subversion from 2.14.0 to 2.14.1 (#185) @dependabot

Bump release-drafter/release-drafter from v5.14.0 to v5.15.0 (#175) @dependabot

Bump commons-lang3 from 3.11 to 3.12.0 (#171) @dependabot

Bump plugin from 4.16 to 4.18 (#181) @dependabot

Bump actions/cache from v2.1.4 to v2.1.5 (#182) @dependabot

Bump plugin from 4.15 to 4.16 (#167) @dependabot

... (truncated)

Commits

ae0ac1a [maven-release-plugin] prepare release parameterized-trigger-2.43.1
6b7cd22 [SECURITY-2185]
ae7eb39 Prepare 2.43.x stable branch
38a7ff8 [maven-release-plugin] prepare for next development iteration
4aa22d7 [maven-release-plugin] prepare release parameterized-trigger-2.43
56514a1 Bump actions/setup-java from 2.3.1 to 2.4.0 (#228)
b2efcca Bump actions/cache from 2.1.6 to 2.1.7 (#227)
9d95a99 Bump promoted-builds from 3.10 to 3.11
eabedca style: Prepare for PNG icon removal from core (#230)
5c1ff14 [maven-release-plugin] prepare for next development iteration
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once CI passes on it, as requested by @MarkEWaite.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

MarkEWaite

@dependabot merge

I generally prefer to not upgrade the version of an optional dependency, but 2.43.1 is a fix for a security vulnerability and it has been available to users for 6 months or more. A reasonable requirement that if the user is running parameterized trigger plugin, it needs to be at least 2.43.1.

Was released a year ago and is required as a minimum version for parameterized trigger plugin

Notes from Basil Crow: Can be reproduced in git-plugin by running ``` $ mvn -Denforcer.skip=true \ -Dhpi-plugin.version=3.37 -Djenkins.version=2.381 \ -Djth.jenkins-war.path=~/src/jenkinsci/bom/target/local-test/megawar.war \ -DoverrideWar=~/src/jenkinsci/bom/target/local-test/megawar.war \ -DoverrideWarAdditions=true -Dtest=InjectedTest \ -DupperBoundsExcludes=javax.servlet:servlet-api -DuseUpperBounds=true \ clean verify ``` after running ``` $ PLUGINS=git TEST=InjectedTest bash local-test.sh ``` in bom to build the megawar. Bisection shows the trouble started occurring at jenkinsci#1369 which updated parameterized-trigger from 2.39 to 2.43.1, which in turn updated conditional-buildstep from 1.3.1 to 1.4.1, which in turn put maven-plugin on the compile classpath. Turns out that declaring maven-plugin as non-optional was a bug in conditional-buildstep 1.4.1, fixed in 1.4.2 with jenkinsci/conditional-buildstep-plugin#27. Verified that the problem can be successfully worked around in git-plugin by downgrading parameterized-trigger back to 2.39 (which also downgrades conditional-buildstep down to 1.3.1) or upgrading conditional-buildstep to 1.4.2 with diff --git a/pom.xml b/pom.xml index 3753e57c..e187d4f4 100644 --- a/pom.xml +++ b/pom.xml @@ -79,6 +79,11 @@ <type>pom</type> <scope>import</scope> </dependency> + <dependency> + <groupId>org.jenkins-ci.plugins</groupId> + <artifactId>conditional-buildstep</artifactId> + <version>1.4.2</version> + </dependency> </dependencies> </dependencyManagement> But a better solution would be to upgrade conditional-buildstep to 1.4.2 in parameterized-trigger; i.e., releasing jenkinsci/parameterized-trigger-plugin#252 and then upgrading to that release in the Git plugin.

Notes from Basil Crow: Can be reproduced in git-plugin by running ``` $ mvn -Denforcer.skip=true \ -Dhpi-plugin.version=3.37 -Djenkins.version=2.381 \ -Djth.jenkins-war.path=~/src/jenkinsci/bom/target/local-test/megawar.war \ -DoverrideWar=~/src/jenkinsci/bom/target/local-test/megawar.war \ -DoverrideWarAdditions=true -Dtest=InjectedTest \ -DupperBoundsExcludes=javax.servlet:servlet-api -DuseUpperBounds=true \ clean verify ``` after running ``` $ PLUGINS=git TEST=InjectedTest bash local-test.sh ``` in bom to build the megawar. Bisection shows the trouble started occurring at #1369 which updated parameterized-trigger from 2.39 to 2.43.1, which in turn updated conditional-buildstep from 1.3.1 to 1.4.1, which in turn put maven-plugin on the compile classpath. Turns out that declaring maven-plugin as non-optional was a bug in conditional-buildstep 1.4.1, fixed in 1.4.2 with jenkinsci/conditional-buildstep-plugin#27. Verified that the problem can be successfully worked around in git-plugin by downgrading parameterized-trigger back to 2.39 (which also downgrades conditional-buildstep down to 1.3.1) or upgrading conditional-buildstep to 1.4.2 with diff --git a/pom.xml b/pom.xml index 3753e57c..e187d4f4 100644 --- a/pom.xml +++ b/pom.xml @@ -79,6 +79,11 @@ <type>pom</type> <scope>import</scope> </dependency> + <dependency> + <groupId>org.jenkins-ci.plugins</groupId> + <artifactId>conditional-buildstep</artifactId> + <version>1.4.2</version> + </dependency> </dependencies> </dependencyManagement> But a better solution would be to upgrade conditional-buildstep to 1.4.2 in parameterized-trigger; i.e., releasing jenkinsci/parameterized-trigger-plugin#252 and then upgrading to that release in the Git plugin.

dependabot bot added dependencies Dependency related change java Pull requests that update Java code labels Dec 4, 2022

MarkEWaite approved these changes Dec 4, 2022

View reviewed changes

Require at least promoted builds 3.11

7a5afa3

Was released a year ago and is required as a minimum version for parameterized trigger plugin

dependabot bot merged commit ce8b936 into master Dec 4, 2022

dependabot bot deleted the dependabot/maven/org.jenkins-ci.plugins-parameterized-trigger-2.43.1 branch December 4, 2022 19:53

basil mentioned this pull request Dec 6, 2022

Bump git-plugin.version from 4.14.1 to 4.14.2 in /bom-weekly jenkinsci/bom#1623

Closed

MarkEWaite mentioned this pull request Apr 20, 2023

Bump copyartifact from 686.v6fd37018d7c2 to 697.v12c6e8c8fb_34 in /bom-weekly and add maven-plugin to managed set jenkinsci/bom#1978

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump parameterized-trigger from 2.39 to 2.43.1 #1369

Bump parameterized-trigger from 2.39 to 2.43.1 #1369

dependabot bot commented on behalf of github Dec 4, 2022 •

edited

MarkEWaite left a comment

Bump parameterized-trigger from 2.39 to 2.43.1 #1369

Bump parameterized-trigger from 2.39 to 2.43.1 #1369

Conversation

dependabot bot commented on behalf of github Dec 4, 2022 • edited

2.43

🚀 New features and improvements

📦 Dependency updates

2.42

🚀 New features and improvements

📦 Dependency updates

2.41

📦 Dependency updates

MarkEWaite left a comment

Choose a reason for hiding this comment

dependabot bot commented on behalf of github Dec 4, 2022 •

edited