[BUILD-684] Update JackRabbit to version 2.20.6 Created: 10/Feb/22  Updated: 19/Oct/22  Resolved: 08/Aug/22

Status: Closed
Project: Build
Component/s: BOM
Affects Version/s: None
Fix Version/s: BOM 6.2.23

Type: Task Priority: Neutral
Reporter: Federico Grilli Assignee: Federico Grilli
Resolution: Done Votes: 0
Labels: foundation_team
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Issue Links:
Relates
relates to BUILD-663 Dismiss h2 vulnerabilities Closed
duplicate
is duplicated by BUILD-755 Update JR to 2.20.5 Closed
relation
is related to MGNLEESOLR-172 Exclude dependency on tika-parsers 1.x Closed
Sub-Tasks:
Key
Summary
Type
Status
Assignee
BUILD-742 Check compatibility of junjar license... Sub-task Closed Jan Haderka  
Template:
Acceptance criteria:
[X]* Update 3rd party deps which need to be kept in sync
Task DoR:
Empty
Release notes required:
Yes
Date of First Response:
Team: Foundation

 Description   

Waiting for JackRabbit 2.20.6 which is using Tika 2.4.0 (not vulnerable for now), see also https://issues.apache.org/jira/browse/JCR-4787

Skipped 2.20.5 released on 10th March 2022 https://jackrabbit.apache.org/jcr/downloads.html#v2.20 as it has vulnerable Tika version (see BUILD-813).
Let's see if it is possible to bump Tika to a non vulnerable 2.x version, since Tika 1.x will be EoL as of 30th September 2022. https://lists.apache.org/thread/yq6n7o01kw544dvj1jsoqk29g6yqjkp3

 



 Comments   
Comment by Federico Grilli [ 01/Apr/22 ]

mdrapela/docuteam
To mention in release notes:

We keep Tika and H2 db 3rd party libs in sync with JackRabbit. Most notably

Tika went from 1.27 to 2.2.1
H2 went from 1.4.200 to 2.0.206

Comment by Federico Grilli [ 05/Apr/22 ]

Reverting update for now as JR SearchIndex is broken due to exclusion of junrar (license incompatibility issue to be checked) 

java.lang.NoClassDefFoundError: com/github/junrar/exception/RarException

 

Comment by Federico Grilli [ 08/Aug/22 ]

mdrapela/docs 
6.2.23 Release notes:
Tika version is kept in sync with JR's and was bumped from version 1.28.4 to version 2.4.1.

The most noticeable change is that now Magnolia, like JR itself, will provide only tika-parsers-standard out of the box. Additional parsers can be added separately, see also https://cwiki.apache.org/confluence/display/TIKA/Migrating+to+Tika+2.0.0

In Tika 2.0.0 release notes some breaking changes are mentioned but none should affect JR/Magnolia.

Finally, 3rd party transitive dependencies inherited from Tika have changed (some removed, others added or upgraded). Here is an overview  

Added Removed Upgraded
commons-csv-1.9.0.jar isoparser-1.9.41.7.jar bouncycastle from 1.68 to 1.70
commons-exec-1.3.jar jcip-annotations-1.0.jar  
jai-imageio-core-1.4.0.jar jcommander-1.82.jar  
jbig2-imageio-3.0.4.jar jul-to-slf4j-1.7.36.jar  
dec-0.1.2.jar preflight-2.0.26.jar  
junrar-7.5.2.jar protobuf-java-3.19.2.jar  
jwarc-0.18.1.jar sentiment-analysis-parser-0.1.jar  
pdfbox-debugger-2.0.26.jar stax2-api-4.2.1.jar  
pdfbox-tools-2.0.26.jar woodstox-core-6.2.8.jar  
  xmpcore-shaded-6.1.10.jar  

 

Generated at Sun Feb 11 23:44:11 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.