-
Bug
-
Resolution: Fixed
-
Minor
-
-
jenkins-2.253
While working on Jenkinsfile Runner, I have noticed that the Jenkins Core includes JUnit JAR and Hamcrest JARs as transitive dependencies. Looks like it was my mistake in 2017 when I was working on a custom patch for commons-httpclient with vulnerability fix backports. It leads to 350KB of extra libraries, and, which is worse, potentially messes up the classpaths for testing environments and plugins
Dependency tree:
[INFO] +- io.jenkins.jenkinsfile-runner:setup:jar:1.0-beta-16-SNAPSHOT:compile [INFO] | +- org.jenkins-ci.main:jenkins-core:jar:2.246:compile [INFO] | | +- org.jenkins-ci.plugins.icon-shim:icon-set:jar:1.0.5:compile [INFO] | | +- org.jenkins-ci.main:remoting:jar:4.5:compile ... [INFO] | | +- org.kohsuke.stapler:json-lib:jar:2.4-jenkins-2:compile [INFO] | | | \- net.sf.ezmorph:ezmorph:jar:1.0.6:compile [INFO] | | +- commons-httpclient:commons-httpclient:jar:3.1-jenkins-1:compile [INFO] | | | \- junit:junit:jar:4.13:compile [INFO] | | | \- org.hamcrest:hamcrest-core:jar:1.3:compile
Screenshot of a jenkins.war:
