Skip to content

Update all non-major dependencies#4591

Merged
janhoy merged 20 commits into
apache:mainfrom
solrbot:renovate/all-non-major-dependencies
Jul 3, 2026
Merged

Update all non-major dependencies#4591
janhoy merged 20 commits into
apache:mainfrom
solrbot:renovate/all-non-major-dependencies

Conversation

@solrbot

@solrbot solrbot commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

This PR contains the following updates:

Package Type Update Change Pending
com.github.spotbugs:spotbugs-annotations (source) dependencies minor 4.9.84.10.2
org.owasp.dependencycheck plugin minor 12.1.312.2.2
dev.langchain4j:langchain4j-bom (source) dependencies minor 1.16.31.17.0 1.17.1
org.jetbrains:annotations dependencies minor 26.0.226.1.0
org.eclipse.jdt:ecj (source) dependencies minor 3.39.03.46.0
com.diffplug.spotless plugin minor 8.3.08.7.0 8.8.0
org.checkerframework:checker-qual (source) dependencies minor 3.54.03.55.1
com.carrotsearch.randomizedtesting:randomizedtesting-runner dependencies minor 2.8.42.9.1
org.carrot2:carrot2-core (source) dependencies patch 4.8.14.8.6
net.bytebuddy:byte-buddy-agent (source) dependencies patch 1.18.8-jdk51.18.9
net.bytebuddy:byte-buddy (source) dependencies patch 1.18.8-jdk51.18.9
com.github.ben-manes.versions plugin minor 0.53.00.54.0
com.github.ben-manes.caffeine:caffeine dependencies patch 3.2.33.2.4

Release Notes

spotbugs/spotbugs (com.github.spotbugs:spotbugs-annotations)

v4.10.2

Compare Source

Build
  • Add release protection to ensure version released matches the tag and that snapshot has been removed. (#​4156)
  • Drop binary incompatible Saxon-HE back to 12.9 to keep java 11 compatibility. (#​4159)
  • Add binary check to the gradle build to ensure compatibility remains. (#​4159)

v4.10.1

Compare Source

Build
  • 4.10.0 was not released due to a release process error (artifacts were built from a -SNAPSHOT version). 4.10.1 is the corrected release and contains the intended 4.10.0 contents.
langchain4j/langchain4j (dev.langchain4j:langchain4j-bom)

v1.17.0: and 1.17.0-beta27

Compare Source

Notable Changes

Other Changes

New Contributors

Full Changelog: langchain4j/langchain4j@1.16.3...1.17.0

JetBrains/java-annotations (org.jetbrains:annotations)

v26.1.0

Compare Source

  • @NotNullByDefault is not experimental anymore.

v26.0.2-1

Compare Source

raphw/byte-buddy (net.bytebuddy:byte-buddy-agent)

v1.18.9

  • Disable use of Unsafe by default when Java 25or newer is discovered.
  • Check for escape when creating folders in Plugin.Engine.
  • Improve OpenJ9 attachment.
  • Avoid null pointer on missing annotation types.
  • Improve diagnostics for external agent attachment.
  • Improve on Gradle context discovery.
  • Support Android libraries on AGP9 or newer.
  • Update ASM.

v1.18.8

  • Improve support for repeatable builds.
  • Fix reordering of exception table in type initializers when instrumenting.
ben-manes/caffeine (com.github.ben-manes.caffeine:caffeine)

v3.2.4: 3.2.4

  • Improved access expiration's read performance by avoiding false sharing effects caused by the timestamp update
  • Fixed head-of-line blocking of expiration queues caused by in-flight async entries (#​1954)
  • Fixed various minor issues found using AI audits
  • Added ObjectInputFilter support to JCache

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Every minute (* * * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot

@solrbot solrbot added the exempt-stale Prevent a PR from going stale label Jul 2, 2026
@solrbot

This comment was marked as outdated.

@janhoy

janhoy commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Pushed a commit that makes this bundle build-clean on JDK 21. AI assisted of course... Summary of what changed:

🐞 Excluded errorprone from this renovate group

As errorprone upgrades often require fixes, I exclude it from this PR branch as well as make a renovate rule for it to be handled separately in the future.

🔻 Reverted the RAT upgrade

apache-rat 0.18 → 0.15. RAT 0.18 removes/relocates org.apache.rat.document.impl.FileDocument, which gradle/validation/validate-source-patterns.gradle imports, breaking the build at configuration time. Leaving the RAT upgrade to already-in-progress #4569 . Question @dsmiley: Should RAT be given its own solrbot PR just as errorprone?

🔧 Fixed breakage from ECJ 3.46

ECJ 3.46 tightened nested generic-method inference and rejected SolrMatchers.subListMatches(...) when fed Matchers.contains(...) / containsInAnyOrder(...) in TestRecovery (javac still accepts it). Fixed in one place by changing the matcher parameter from Matcher<? super List<? super T>> to Matcher<Iterable<? extends T>> — which is both inference-friendly for javac and ECJ and the semantically-correct bound (Hamcrest's contains/containsInAnyOrder return Matcher<Iterable<? extends E>>). subListMatches has no other callers.

📝 Changelog

Title now lists each concrete dependency bump (RAT excluded since reverted).

@janhoy janhoy force-pushed the renovate/all-non-major-dependencies branch from 4556b6b to 1e93702 Compare July 2, 2026 16:58
solrbot and others added 6 commits July 2, 2026 19:41
…icenses

- Revert apache-rat 0.18 -> 0.15 (rat 0.18 removes FileDocument API used by
  validate-source-patterns.gradle); to be handled separately
- Fix SolrMatchers.subListMatches signature for stricter ECJ 3.46 generic
  inference (Matcher<Iterable<? extends T>>), unblocking TestRecovery
- Regenerate gradle.lockfile + license sha1s (missing from the original bot PR)
- List concrete dependency bumps in the changelog title
The error-prone 2.50.0 NotJavadoc check flags Javadoc comments on
methods inside local/anonymous classes, which cannot be documented
with Javadoc. Convert the two /** */ comments to regular /* */
comments in SolrDocument.java.
@janhoy janhoy force-pushed the renovate/all-non-major-dependencies branch from 1e93702 to fa5eece Compare July 2, 2026 17:42
janhoy added 2 commits July 2, 2026 20:40
Use URLEncoder.encode(String, Charset) instead of the deprecated
charset-name overload, removing the now-unnecessary
UnsupportedEncodingException handling.
Error Prone 2.50.0 introduced new/stricter bug patterns (ReferenceEquality,
JdkObsolete, NotJavadoc) that require source-level follow-up, which does not
belong in the bulk "all non-major dependencies" PR. Downgrade error_prone back
to the main-branch version (2.41.0), revert the source fixes that were only
needed for 2.50.0 (SolrParams, SolrDocument), and refresh lockfiles/licenses.

Add a dedicated "Error Prone" Renovate group (com.google.errorprone) so future
compiler-check upgrades land in their own PR for dedicated review. Restore the
monthly Renovate schedule ("before 9am on the first day of the month").

The 2.50.0 upgrade plus all source fixes is preserved on branch
errorprone-2.50.0-upgrade for a future dedicated PR.
janhoy and others added 6 commits July 2, 2026 23:46
randomizedtesting 2.9.1 changed the test name format from
"testFoo {seed=[...]}" to "testFoo[seed=[...]]" (no space). getSaferTestName
only stripped at the first space, so the seed leaked into collection names
derived from it, failing TestPullReplica/TestTlogReplica.testCreateDelete with
invalid collection names. Cut at the first space or '[', matching the branch_9x
fix (c566e61).

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates a set of non-major Gradle-managed dependencies across Solr modules by bumping version catalog entries, regenerating per-module Gradle lockfiles, and updating corresponding solr/licenses/*.jar.sha1 tracking files. It also adjusts Renovate grouping/scheduling and makes small test-framework tweaks related to Hamcrest matcher typing and randomizedtesting test-name formatting.

Changes:

  • Bump multiple dependency versions in gradle/libs.versions.toml (e.g., caffeine, byte-buddy, randomizedtesting-runner, langchain4j BOM, JetBrains annotations, ecj, spotless, spotbugs) and regenerate impacted lockfiles.
  • Refresh solr/licenses/*.jar.sha1 files for updated artifacts (randomizedtesting-runner, langchain4j artifacts, caffeine, byte-buddy, carrot2-core, JetBrains annotations).
  • Update Renovate config (add dedicated Error Prone grouping; adjust schedule) and tweak test-framework utilities (SolrMatchers, SolrTestCaseJ4).

Reviewed changes

Copilot reviewed 59 out of 59 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
solr/webapp/gradle.lockfile Regenerated dependency locks (incl. caffeine bump; error_prone_annotations split).
solr/ui/gradle.lockfile Updates locked JetBrains annotations version to 26.1.0 for UI classpaths.
solr/test-framework/src/java/org/apache/solr/util/SolrMatchers.java Changes matcher generic types for sub-list matching helper.
solr/test-framework/src/java/org/apache/solr/SolrTestCaseJ4.java Adjusts test-name sanitization to handle newer randomizedtesting name formats.
solr/test-framework/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, spotbugs-annotations, error_prone_annotations split).
solr/solrj/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, byte-buddy, error_prone_annotations split).
solr/solrj-zookeeper/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, spotbugs-annotations, error_prone_annotations split).
solr/solrj-streaming/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, error_prone_annotations split).
solr/solrj-jetty/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, error_prone_annotations split).
solr/solr-ref-guide/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, error_prone_annotations split).
solr/server/gradle.lockfile Regenerated locks (caffeine; error_prone_annotations split across configurations).
solr/modules/sql/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, error_prone_annotations split).
solr/modules/scripting/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, error_prone_annotations split).
solr/modules/s3-repository/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, byte-buddy, JetBrains annotations, error_prone_annotations split).
solr/modules/opentelemetry/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, JetBrains annotations, error_prone_annotations split).
solr/modules/ltr/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, byte-buddy, error_prone_annotations split).
solr/modules/language-models/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, langchain4j 1.17.0, JetBrains annotations, error_prone_annotations split).
solr/modules/langid/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, error_prone_annotations split).
solr/modules/jwt-auth/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, byte-buddy, JetBrains annotations, error_prone_annotations split).
solr/modules/gcs-repository/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, error_prone_annotations split).
solr/modules/extraction/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, JetBrains annotations, error_prone_annotations split).
solr/modules/cuvs/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, error_prone_annotations split).
solr/modules/cross-dc/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, byte-buddy, error_prone_annotations split).
solr/modules/clustering/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, carrot2-core, error_prone_annotations split).
solr/modules/analysis-extras/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, byte-buddy, error_prone_annotations split).
solr/cross-dc-manager/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, byte-buddy, JetBrains annotations, error_prone_annotations split).
solr/core/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, spotbugs-annotations, byte-buddy; error_prone_annotations split).
solr/benchmark/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, error_prone_annotations split).
solr/api/gradle.lockfile Regenerated locks (randomizedtesting-runner, caffeine, error_prone_annotations split).
gradle/libs.versions.toml Updates dependency/plugin version pins (caffeine, byte-buddy, carrot2, randomizedtesting, spotless, ecj, JetBrains annotations, langchain4j BOM, spotbugs, owasp dependency-check).
gradle.lockfile Updates root-level lock (ecj bump).
.github/renovate.json Adds Error Prone grouping and changes Renovate update schedule.
changelog/unreleased/PR#4591-update-all-non-major-dependencies.yml Adds dependency-update changelog entry for this PR.
solr/licenses/randomizedtesting-runner-2.9.1.jar.sha1 Adds SHA1 tracking for updated randomizedtesting-runner.
solr/licenses/randomizedtesting-runner-2.8.4.jar.sha1 Removes SHA1 tracking for prior randomizedtesting-runner.
solr/licenses/langchain4j-open-ai-1.17.0.jar.sha1 Adds SHA1 tracking for updated langchain4j-open-ai.
solr/licenses/langchain4j-open-ai-1.16.3.jar.sha1 Removes SHA1 tracking for prior langchain4j-open-ai.
solr/licenses/langchain4j-mistral-ai-1.17.0.jar.sha1 Adds SHA1 tracking for updated langchain4j-mistral-ai.
solr/licenses/langchain4j-mistral-ai-1.16.3.jar.sha1 Removes SHA1 tracking for prior langchain4j-mistral-ai.
solr/licenses/langchain4j-hugging-face-1.17.0-beta27.jar.sha1 Adds SHA1 tracking for updated langchain4j-hugging-face.
solr/licenses/langchain4j-hugging-face-1.16.3-beta26.jar.sha1 Removes SHA1 tracking for prior langchain4j-hugging-face.
solr/licenses/langchain4j-http-client-jdk-1.17.0.jar.sha1 Adds SHA1 tracking for updated langchain4j-http-client-jdk.
solr/licenses/langchain4j-http-client-jdk-1.16.3.jar.sha1 Removes SHA1 tracking for prior langchain4j-http-client-jdk.
solr/licenses/langchain4j-http-client-1.17.0.jar.sha1 Adds SHA1 tracking for updated langchain4j-http-client.
solr/licenses/langchain4j-http-client-1.16.3.jar.sha1 Removes SHA1 tracking for prior langchain4j-http-client.
solr/licenses/langchain4j-core-1.17.0.jar.sha1 Adds SHA1 tracking for updated langchain4j-core.
solr/licenses/langchain4j-core-1.16.3.jar.sha1 Removes SHA1 tracking for prior langchain4j-core.
solr/licenses/langchain4j-cohere-1.17.0-beta27.jar.sha1 Adds SHA1 tracking for updated langchain4j-cohere.
solr/licenses/langchain4j-cohere-1.16.3-beta26.jar.sha1 Removes SHA1 tracking for prior langchain4j-cohere.
solr/licenses/carrot2-core-4.8.6.jar.sha1 Adds SHA1 tracking for updated carrot2-core.
solr/licenses/carrot2-core-4.8.1.jar.sha1 Removes SHA1 tracking for prior carrot2-core.
solr/licenses/caffeine-3.2.4.jar.sha1 Adds SHA1 tracking for updated caffeine.
solr/licenses/caffeine-3.2.3.jar.sha1 Removes SHA1 tracking for prior caffeine.
solr/licenses/byte-buddy-agent-1.18.9.jar.sha1 Adds SHA1 tracking for updated byte-buddy-agent.
solr/licenses/byte-buddy-agent-1.18.8-jdk5.jar.sha1 Removes SHA1 tracking for prior byte-buddy-agent.
solr/licenses/byte-buddy-1.18.9.jar.sha1 Adds SHA1 tracking for updated byte-buddy.
solr/licenses/byte-buddy-1.18.8-jdk5.jar.sha1 Removes SHA1 tracking for prior byte-buddy.
solr/licenses/annotations-26.1.0.jar.sha1 Adds SHA1 tracking for updated JetBrains annotations jar.
solr/licenses/annotations-26.0.2.jar.sha1 Removes SHA1 tracking for prior JetBrains annotations jar.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread solr/test-framework/src/java/org/apache/solr/util/SolrMatchers.java
Comment thread solr/test-framework/src/java/org/apache/solr/util/SolrMatchers.java Outdated
Comment thread solr/test-framework/src/java/org/apache/solr/util/SolrMatchers.java Outdated
Comment thread solr/core/gradle.lockfile
Comment thread gradle/libs.versions.toml

@epugh epugh left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How come none of our automated GHA checks failed on the licnse issues that copilot surfaced? seems like if Copilot surfaced them, one of our checks should have failed too?

This is moving right along, and once those questions are answered I would approve!

Comment thread changelog/unreleased/PR#4591-update-all-non-major-dependencies.yml Outdated
@janhoy

janhoy commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

How come none of our automated GHA checks failed on the licnse issues that copilot surfaced?

Copilot misunderstood. The error_prone_annotations deps are bumped transitively by other libs, and several can co-exist. But errorprone current version will only ever use the ones that it knows about, so no harm. Thus I just muted those complaints from Copilot.

Comment thread changelog/unreleased/PR#4591-update-all-non-major-dependencies.yml
@janhoy janhoy merged commit 22d9acd into apache:main Jul 3, 2026
7 of 8 checks passed
janhoy pushed a commit that referenced this pull request Jul 3, 2026
Renovate: handle errorprone separately, change schedule to monthly

Co-authored-by: Jan Høydahl <janhoy@apache.org>

(cherry picked from commit 22d9acd)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants