daml/bazel-java-deps.bzl
Brian Healey b2e1dd85cd
Upgrade Jackson to 2.11.2 to address security vulnerabilities (#7375)
CHANGELOG_BEGIN
Upgrade Jackson to 2.11.2 to address security vulnerabilities
CHANGELOG_END

Signed-off-by: Brian Healey <brian.healey@digitalasset.com>
2020-09-10 14:32:01 -04:00

191 lines
10 KiB
Python

# Copyright (c) 2020 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
# When adding, removing or changing a dependency in this file, update the pinned dependencies by executing
# $ bazel run @unpinned_maven//:pin
# See https://github.com/bazelbuild/rules_jvm_external#updating-maven_installjson
load("@rules_jvm_external//:defs.bzl", "maven_install")
load("@rules_jvm_external//:specs.bzl", "maven")
def install_java_deps():
maven_install(
artifacts = [
"ai.x:diff_2.12:2.0.1",
"ch.qos.logback:logback-classic:1.2.3",
"ch.qos.logback:logback-core:1.2.3",
"com.auth0:java-jwt:3.10.3",
"com.auth0:jwks-rsa:0.11.0",
"com.chuusai:shapeless_2.12:2.3.2",
"com.github.ben-manes.caffeine:caffeine:2.8.0",
"com.github.ghik:silencer-lib_2.12.11:1.6.0",
"com.github.ghik:silencer-plugin_2.12.11:1.6.0",
"com.github.pureconfig:pureconfig_2.12:0.8.0",
maven.artifact("com.github.pureconfig", "pureconfig-macros_2.12", "0.8.0", neverlink = True),
"com.github.scopt:scopt_2.12:3.7.1",
"com.google.code.findbugs:jsr305:3.0.2",
"com.google.code.gson:gson:2.8.2",
"com.google.guava:guava:29.0-jre",
"com.h2database:h2:1.4.200",
"com.lihaoyi:pprint_2.12:0.5.3",
"commons-io:commons-io:2.5",
"com.sparkjava:spark-core:2.9.1",
"com.squareup:javapoet:1.11.1",
"com.storm-enroute:scalameter_2.12:0.10.1",
"com.storm-enroute:scalameter-core_2.12:0.10.1",
"com.typesafe.akka:akka-actor_2.12:2.6.1",
"com.typesafe.akka:akka-actor-typed_2.12:2.6.1",
"com.typesafe.akka:akka-http_2.12:10.1.11",
"com.typesafe.akka:akka-http-spray-json_2.12:10.1.11",
"com.typesafe.akka:akka-http-testkit_2.12:10.1.11",
"com.typesafe.akka:akka-slf4j_2.12:2.6.1",
"com.typesafe.akka:akka-stream_2.12:2.6.1",
"com.typesafe.akka:akka-stream-testkit_2.12:2.6.1",
"com.typesafe.akka:akka-testkit_2.12:2.6.1",
"com.typesafe.play:anorm_2.12:2.5.3",
"com.typesafe.play:anorm-akka_2.12:2.5.3",
"com.typesafe.scala-logging:scala-logging_2.12:3.9.2",
"com.zaxxer:HikariCP:3.2.0",
"eu.rekawek.toxiproxy:toxiproxy-java:2.1.3",
"io.circe:circe-core_2.12:0.10.0",
"io.circe:circe-generic_2.12:0.10.0",
"io.circe:circe-parser_2.12:0.10.0",
"io.circe:circe-yaml_2.12:0.10.0",
"io.dropwizard.metrics:metrics-core:4.1.2",
"io.dropwizard.metrics:metrics-graphite:4.1.2",
"io.dropwizard.metrics:metrics-jmx:4.1.2",
"io.dropwizard.metrics:metrics-jvm:4.1.2",
# Bumping versions of io.grpc:* has a few implications:
# 1. io.grpc:grpc-protobuf has a dependency on com.google.protobuf:protobuf-java, which in
# turn needs to be aligned with the version of protoc we are using (as declared in deps.bzl).
# ScalaPB also depends on a version of protobuf-java, but for the most part we expect here a
# version mismatch between ScalaPBs declared protobuf-java dependency and the version on the
# classpath doesn't matter.
#
# 2. To keep TLS for the Ledger API Server working, the following three artifacts need be updated
# in sync according to https://github.com/grpc/grpc-java/blob/master/SECURITY.md#netty
#
# * io.grpc:grpc-netty
# * io.netty:netty-handler
# * io.netty:netty-tcnative-boringssl-static
#
# This effectively means all io.grpc:*, io.netty:*, and `com.google.protobuf:protobuf-java
# need to be updated with careful consideration.
# grpc
"io.grpc:grpc-api:1.29.0",
"io.grpc:grpc-core:1.29.0",
"io.grpc:grpc-netty:1.29.0",
"io.grpc:grpc-protobuf:1.29.0",
"io.grpc:grpc-services:1.29.0",
"io.grpc:grpc-stub:1.29.0",
# netty
"io.netty:netty-codec-http2:4.1.48.Final",
"io.netty:netty-handler:4.1.48.Final",
"io.netty:netty-handler-proxy:4.1.48.Final",
"io.netty:netty-resolver:4.1.48.Final",
"io.netty:netty-tcnative-boringssl-static:2.0.30.Final",
# protobuf
"com.google.protobuf:protobuf-java:3.11.0",
#scalapb
"com.thesamet.scalapb:compilerplugin_2.12:0.9.0",
"com.thesamet.scalapb:lenses_2.12:0.9.0",
"com.thesamet.scalapb:protoc-bridge_2.12:0.7.8",
"com.thesamet.scalapb:scalapb-runtime_2.12:0.9.0",
"com.thesamet.scalapb:scalapb-runtime-grpc_2.12:0.9.0",
# ---- end of grpc-protobuf-netty block
"io.reactivex.rxjava2:rxjava:2.2.1",
"io.spray:spray-json_2.12:1.3.5",
"io.zipkin.brave:brave:4.6.0",
"io.zipkin.reporter:zipkin-sender-okhttp3:1.0.4",
"javax.annotation:javax.annotation-api:1.2",
"javax.ws.rs:javax.ws.rs-api:2.1",
"junit:junit:4.12",
"junit:junit-dep:4.10",
"net.logstash.logback:logstash-logback-encoder:6.3",
"org.apache.commons:commons-lang3:3.9",
"org.apache.commons:commons-text:1.4",
"org.awaitility:awaitility:3.1.6",
"org.checkerframework:checker:2.5.4",
"org.flywaydb:flyway-core:6.5.0",
"org.freemarker:freemarker-gae:2.3.28",
"org.gnieh:diffson-spray-json_2.12:3.1.1",
"org.jline:jline:3.7.1",
"org.jline:jline-reader:3.7.1",
"org.junit.jupiter:junit-jupiter-api:5.0.0",
"org.junit.jupiter:junit-jupiter-engine:5.0.0",
"org.junit.platform:junit-platform-engine:1.0.0",
"org.junit.platform:junit-platform-runner:1.0.0",
"org.mockito:mockito-core:2.24.0",
"org.mockito:mockito-inline:2.24.0",
"org.mockito:mockito-scala_2.12:1.1.2",
"org.pcollections:pcollections:2.1.3",
"org.postgresql:postgresql:42.2.9",
"org.reactivestreams:reactive-streams:1.0.2",
"org.reactivestreams:reactive-streams-tck:1.0.2",
"org.sangria-graphql:sangria_2.12:1.4.2",
"org.sangria-graphql:sangria-spray-json_2.12:1.0.2",
"org.scalacheck:scalacheck_2.12:1.14.0",
"org.scala-lang.modules:scala-collection-compat_2.12:2.1.6",
"org.scala-lang.modules:scala-java8-compat_2.12:0.9.0",
"org.scala-lang.modules:scala-parser-combinators_2.12:1.0.4",
"org.scala-sbt:sbt:1.1.4",
"org.scalactic:scalactic_2.12:3.0.5",
"org.scalatest:scalatest_2.12:3.0.5",
"org.scalaz:scalaz-concurrent_2.12:7.2.24",
"org.scalaz:scalaz-core_2.12:7.2.24",
"org.scalaz:scalaz-scalacheck-binding_2.12:7.2.24-scalacheck-1.14",
"org.seleniumhq.selenium:selenium-java:3.12.0",
"org.slf4j:slf4j-api:1.7.26",
"org.slf4j:slf4j-simple:1.7.26",
"org.spire-math:kind-projector_2.12:0.9.3",
"org.tpolecat:doobie-core_2.12:0.6.0",
"org.tpolecat:doobie-postgres_2.12:0.6.0",
"org.typelevel:paiges-core_2.12:0.2.1",
"org.wartremover:wartremover_2.12.11:2.4.9",
"org.xerial:sqlite-jdbc:3.30.1",
# gatling dependencies
"io.gatling:gatling-app:3.3.1",
"io.gatling:gatling-core:3.3.1",
"io.gatling:gatling-commons:3.3.1",
"io.gatling:gatling-recorder:3.3.1",
"io.gatling:gatling-charts:3.3.1",
"io.gatling.highcharts:gatling-highcharts:3.3.1",
"io.gatling:gatling-http:3.3.1",
"io.gatling:gatling-http-client:3.3.1",
"com.fasterxml.jackson.core:jackson-core:2.11.2",
"com.fasterxml.jackson.core:jackson-databind:2.11.2",
],
fetch_sources = True,
maven_install_json = "@com_github_digital_asset_daml//:maven_install.json",
override_targets = {
# Replacements for core Scala libraries.
# These libraries must be provided by the Scala toolchain.
#
# Without these you may get obscure compiler errors about missing implicits,
# or types that should be `Any`.
# This needs to be kept in sync with //bazel-tools:pom_file.bzl
"org.scala-lang:scala-compiler": "@io_bazel_rules_scala_scala_compiler//:io_bazel_rules_scala_scala_compiler",
"org.scala-lang:scala-library": "@io_bazel_rules_scala_scala_library//:io_bazel_rules_scala_scala_library",
"org.scala-lang:scala-reflect": "@io_bazel_rules_scala_scala_reflect//:io_bazel_rules_scala_scala_reflect",
"org.scala-lang.modules:scala-parser-combinators": "@io_bazel_rules_scala_scala_parser_combinators//:io_bazel_rules_scala_scala_parser_combinators",
"org.scala-tools.testing:test-interface": "//:org_scala_sbt_test_interface",
"org.scalactic:scalactic_2.12": "@io_bazel_rules_scala_scalactic//:io_bazel_rules_scala_scalactic",
"org.scalatest:scalatest_2.12": "@io_bazel_rules_scala_scalatest//:io_bazel_rules_scala_scalatest",
},
repositories = [
"https://repo1.maven.org/maven2",
],
# The strict_visibility attribute controls whether all artifacts should
# be visible (including transitive dependencies), or whether only
# explicitly declared artifacts should be visible. The targets
# generated by maven_install do not forward transitive dependencies.
# Instead, users need to explicitly declare each package a dependency
# from which they wish to import. This makes strict visibility
# inconvenient as one would have to pin versions of transitive
# dependencies in this file, which complicates version updates later
# on. Therefore, we don't enable strict visibility. This is the default.
# strict_visibility = True,
version_conflict_policy = "pinned",
)