Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update JUnit 4.12 to 4.13.2. #4167

Merged

Conversation

michael-simons
Copy link
Contributor

This update prevents various tools from flagging projects that depend on test containers in compile time scope as insecure due to GHSA-269g-pwp5-87pp. Apart from that, 4.13 has fixed a couple of other things https://github.com/michael-simons/testcontainers-java/pull/new/issue/update-to-junit4-413.

Copy link
Member

@rnorth rnorth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've been slightly hesitant about this: bumping our JUnit dependency version will cause most consumers to receive a newer version of JUnit, even when they have a dependency on an older version elsewhere in their build.

That said, we do routinely accept dependabot bumps to other dependencies which are theoretically just as impactful (or more impactful) to consumers, without significant volumes of problems being reported.

I'm familiar with the situation of having static analyzers flag false-positive vulnerabilities in transitive dependencies, which I know can be a chore for users.

FYI I've had a look through the JUnit release notes; it seems to me that any 'breaking' changes are also in fairly obscure areas:

@kiview kiview added this to the next milestone Sep 20, 2021
@kiview kiview merged commit c7fa8e2 into testcontainers:master Sep 20, 2021
@kiview kiview added the dependencies Pull requests that update a dependency file label Oct 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants