...
Apache NiFi is a large project with numerous direct and transitive dependencies. Maintaining security is essential and providing compatibility is an important element of successful releases. Understanding the usage profile and component impact of dependencies is key to managing and upgrading libraries throughout the project. This document highlights common project dependencies outlines a dependency management strategy and recommend steps when preparing to upgrade or reviewing upgrade requests.
...
As a large project with many external integrations, Apache NiFi depends on hundreds of libraries, each with various transitive dependencies. Runtime ClassLoader isolation allows different extension components to depend on different versions of the same library, which brings both flexibility and complexity to the dependency management process. Knowing the scope of library usage is important when evaluating whether to upgrade, enforce, or override dependency versions.
Project Modules
The location of subproject module hierarchies should be noted when evaluating dependency changes.
- MiNiFi
- Registry
- Stateless
- Toolkit
Managed Dependencies
The Apache Maven dependencyManagement element enables parent projects to set dependency versions for child projects. Custom project properties enable a single version to be set and referenced. Many libraries include a shared set of transitive or sibling dependencies, which can be managed through a single Bill of Materials dependency. Selective use of these features provides a consistent and maintainable strategy.
...
The bundle project provides a natural place for defining common versions of shared libraries. Rather than defining the same version number or even using a shared version property across child modules, the dependencyManagement element should be used in the bundle project to set consistent versions for child projects. The bundle project is the best place to define shared dependency version information when the usage of the dependency is limited to a particular extension.
...
Upgrading dependencies is essential for maintaining security and compatibility. The specific level of effort varies from library to library, but there are several steps that should be followed for all dependency upgrades.
Standard Steps
Projects follow various versioning strategies, which often complicates the upgrade process. Understanding project versioning strategy is important when evaluating changes.
- Evaluate project versioning strategy
- Review project release notes
- Determine level of changes
- Review direct dependency references
- Review transitive dependency references
- Run local build
- Run GitHub automated builds in forked repository
Evaluate Project Versioning Strategy
Projects follow various versioning strategies, which often complicates the upgrade process. Understanding project versioning strategy is important when evaluating changes.
Many projects adhere to Semantic Versioning for project releases. Semantic Versioning aims to provide a common approach to version number numbering in a way that communicates the type of changes included. Major versions can include some number of breaking changes, whereas minor and patch versions should never include breaking changes.
...
In some instances, there is no substitute for exercising components with a running configuration. Understanding the scope of dependency usage will can help tailor particular functional tests, identifying whether specific properties are necessary to exercise new features or fixes.