-
Bug
-
Resolution: Fixed
-
Minor
-
-
jenkins-2.253
While working on Jenkinsfile Runner, I have noticed that the Jenkins Core includes JUnit JAR and Hamcrest JARs as transitive dependencies. Looks like it was my mistake in 2017 when I was working on a custom patch for commons-httpclient with vulnerability fix backports. It leads to 350KB of extra libraries, and, which is worse, potentially messes up the classpaths for testing environments and plugins
Dependency tree:
[INFO] +- io.jenkins.jenkinsfile-runner:setup:jar:1.0-beta-16-SNAPSHOT:compile [INFO] | +- org.jenkins-ci.main:jenkins-core:jar:2.246:compile [INFO] | | +- org.jenkins-ci.plugins.icon-shim:icon-set:jar:1.0.5:compile [INFO] | | +- org.jenkins-ci.main:remoting:jar:4.5:compile ... [INFO] | | +- org.kohsuke.stapler:json-lib:jar:2.4-jenkins-2:compile [INFO] | | | \- net.sf.ezmorph:ezmorph:jar:1.0.6:compile [INFO] | | +- commons-httpclient:commons-httpclient:jar:3.1-jenkins-1:compile [INFO] | | | \- junit:junit:jar:4.13:compile [INFO] | | | \- org.hamcrest:hamcrest-core:jar:1.3:compile
Screenshot of a jenkins.war:
[JENKINS-63269] Jenkins WAR should not bundle JUnit and Hamcrest libraries
Component/s | New: core [ 15593 ] | |
Component/s | Original: core [ 21134 ] | |
Key |
Original:
|
New:
|
Workflow | Original: classic default workflow [ 245332 ] | New: JNJira + In-Review [ 245333 ] |
Project | Original: Infrastructure [ 10301 ] | New: Jenkins [ 10172 ] |
Summary | Original: Jenkins WAr bundles JUnit and Hamcrest | New: Jenkins WAR should not bundle JUnit and Hamcrest libraries |
Assignee | New: Oleg Nenashev [ oleg_nenashev ] |
Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
Remote Link | New: This issue links to "https://github.com/jenkinsci/lib-commons-httpclient/pull/2 (Web Link)" [ 25408 ] |
Status | Original: In Progress [ 3 ] | New: In Review [ 10005 ] |
Released As | New: jenkins-2.253 | |
Resolution | New: Fixed [ 1 ] | |
Status | Original: In Review [ 10005 ] | New: Resolved [ 5 ] |
https://github.com/jenkinsci/lib-commons-httpclient/releases/tag/commons-httpclient-3.1-jenkins-2 as a first leg of the fix