WW-5632 Harden commons-fileupload2 dependency against milestone binary-incompatibility#1735
Open
lukaszlenart wants to merge 6 commits into
Open
WW-5632 Harden commons-fileupload2 dependency against milestone binary-incompatibility#1735lukaszlenart wants to merge 6 commits into
lukaszlenart wants to merge 6 commits into
Conversation
Design for hardening the commons-fileupload2 dependency against milestone binary-incompatibility (manage -core, activate a scoped enforcer rule, add a runtime API guard in AbstractMultiPartRequest). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ning Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…a-servlet6 Pin both commons-fileupload2 artifacts to a single commons-fileupload2.version property so the volatile -core API can no longer skew from -jakarta-servlet6 in the reactor. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Activate maven-enforcer-plugin (previously dormant in pluginManagement) with a fileupload-scoped bannedDependencies rule so any divergent commons-fileupload2 version fails the build early. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…2 API Verify once per JVM that the fileupload size-limit setters exist and throw a clear StrutsException reporting the core/jakarta version skew, replacing an opaque deep-stack NoSuchMethodError in downstream runtimes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
lukaszlenart
requested review from
aleksandr-m,
cnenning,
jogep,
kusalk,
rgielen,
sdutry and
yasserzamani
Resolve Sonar java:S2696 (instance method writing a static field) by making ensureFileUploadApiVerified() static; verification is JVM-global. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens Struts against Apache Commons FileUpload milestone (
-M) binary-incompatibility. WW-5615 (#1584) fixed the reportedNoSuchMethodErrorsymptom for 7.2.0 by adapting to the renamed M5 setters; this PR closes the underlying class of failure it left open.commons-fileupload2.versionproperty and manage bothcommons-fileupload2-coreandcommons-fileupload2-jakarta-servlet6at it inparent/pom.xml. The volatile setters (setMaxSize/setMaxFileCount/setMaxFileSize) live in-core, which was previously unmanaged — so a transitive dep could pull a mismatched-coremilestone and reproduce the crash even with-jakarta-servlet6pinned.maven-enforcer-pluginrule was configured only in<pluginManagement>and never actually ran. Bind it into the active build with a fileupload-scopedbannedDependenciesrule (single source of truth via the property, actionable<message>), so any divergent commons-fileupload2 version fails the build early.AbstractMultiPartRequestthrows a clearStrutsExceptionreporting the-core/-jakarta-servlet6version skew instead of an opaque deep-stackNoSuchMethodError. This is the only protection that reaches downstream consumer runtimes the build-time enforcer can't.Fixes WW-5632
Test Plan
mvn test -DskipAssembly -pl core— BUILD SUCCESS, 2957 tests, 0 failuresAbstractMultiPartRequestApiCheckTest(compatible class passes; incompatible stub throwsStrutsExceptionwith actionable message)-coreis forced to a different milestonejakartaee11profile unaffected (it does not overridecommons-fileupload2.version)🤖 Generated with Claude Code