fix: Update dependencies #3204
fix: Update dependencies #3204
Conversation
WalkthroughUpdates standardize dependency management (explicit Jakarta Mail, JUnit BOM, library/version bumps) and modify OpenAPI operation-to-handler mapping to use Operation object identity instead of operationId strings, affecting lookup paths. No public APIs changed besides a type alias update to IdentityHashMap for operation handlers. Changes
Sequence Diagram(s)sequenceDiagram
participant SpringDoc as SpringDoc/OpenApiCustomizer
participant Builder as OpenApiGroupBuilder
participant Operation as OpenAPI Operation
participant Map as OperationHandlers (IdentityHashMap)
participant Config as OpenApiConfiguration
SpringDoc->>Builder: customize(OpenAPI)
loop for each Operation
Builder->>Map: put(Operation, HandlerMethod)
end
SpringDoc->>Config: isApiKeyOperation(Operation)
Config->>Map: get(Operation)
Map-->>Config: HandlerMethod
Config->>Config: Inspect handler paths for "{projectId}"
Config-->>SpringDoc: decision
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
Tip 🔌 Remote MCP (Model Context Protocol) integration is now available!Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats. ✨ Finishing Touches
🧪 Generate unit tests
🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
CodeRabbit Configuration File (
|
92b4c17 to
6f7de5b
Compare
1d4e6c5 to
f39ef1c
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (8)
backend/security/build.gradle (1)
99-100: Consider centralizing the junit-bom version to avoid drift.You’re pinning 5.11.4 in multiple modules. To reduce duplication, define a shared junitVersion (e.g., in gradle.properties or the version catalog) and reference it everywhere.
backend/ktlint/build.gradle (1)
51-56: junit-bom import looks good; verify interaction with spring-boot-starter-test.Overriding JUnit via junit-bom is fine even with spring-boot-starter-test present. Just ensure your chosen JUnit 5.11.4 works cleanly with Boot 3.4.8’s starter-test stack.
If you want to reduce duplication, consider moving the JUnit version to a single source (gradle.properties or version catalog) and referencing it here.
backend/app/src/main/kotlin/io/tolgee/configuration/openApi/OpenApiGroupBuilder.kt (5)
16-16: IdentityHashMap for OperationHandlers — verify identity stability across Springdoc phasesSwitching to IdentityHashMap<Operation, HandlerMethod> is a clean way to avoid operationId collisions, but it assumes the same Operation instances flow through both OperationCustomizer (where the map is populated) and OpenApiCustomizer (where it’s read). If Springdoc clones/rebuilds Operation objects between phases, lookups will fail and later code will throw.
- Action: Verify at runtime that no “Operation handler not found …” is thrown and that handler lookups succeed across the whole OpenAPI generation.
- Optional: If you want extra safety, consider failing gracefully with a warning (and skipping the operation) rather than hard-throwing, or augment the error context as suggested below.
I can provide an integration test to assert handler mappings are resolvable across phases. Want me to draft it?
103-106: Method/class-level annotation lookup: consider supporting composed/meta-annotationsThis works, but Spring’s AnnotationUtils.findAnnotation will also resolve composed/meta-annotations and bridge methods more robustly.
Apply this diff:
- val annotation = - handlerMethod.getMethodAnnotation(annotationClass) - ?: handlerMethod.method.declaringClass.getAnnotation(annotationClass) + val annotation = + org.springframework.core.annotation.AnnotationUtils.findAnnotation(handlerMethod.method, annotationClass) + ?: org.springframework.core.annotation.AnnotationUtils.findAnnotation(handlerMethod.method.declaringClass, annotationClass)
160-160: Populating the identity map in OperationCustomizer — consider thread-safety (minor)If Springdoc were to invoke OperationCustomizer concurrently, IdentityHashMap isn’t thread-safe. It’s likely single-threaded today, but a minimal hardening would be to wrap it with Collections.synchronizedMap.
For example (outside diffable range):
val operationHandlers: MutableMap<Operation, HandlerMethod> = java.util.Collections.synchronizedMap(java.util.IdentityHashMap())
179-181: Improve exception context when handler mapping is missingGreat that the message includes operationId. Adding path and HTTP method will make this much easier to debug.
Apply this diff:
- operationHandlers[operation] - ?: throw RuntimeException("Operation handler not found for ${operation.operationId}"), + operationHandlers[operation] + ?: throw RuntimeException( + "Operation handler not found. " + + "operationId='${operation.operationId}', " + + "path='${pathEntry.key}', " + + "httpMethod='${oldPathItem.getHttpMethod(operation)}'" + ),
221-221: Optional: add debug logging when handler mapping is absent while building handlerPathsThis branch quietly skips when a handler isn’t found. A low-level debug log here would help catch identity mismatches early without failing the build.
backend/app/src/main/kotlin/io/tolgee/configuration/openApi/OpenApiConfiguration.kt (1)
119-124: Use shared helpers/constant for projectId detection; avoid hard-coded "{projectId}"Good switch to identity-based lookup. For consistency and to prevent drift, prefer the existing helpers/constant over literal "{projectId}".
Apply this diff:
- val pathContainsProjectId = path.contains("{$PROJECT_ID_PARAMETER}") + val pathContainsProjectId = containsProjectIdParam(path) @@ - ]?.any { it.contains("{projectId}") } + ]?.any { containsProjectIdParam(it) }Also, same identity stability caveat as in OpenApiGroupBuilder applies here since this now keys by Operation. Please verify no runtime misses.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (10)
backend/app/build.gradle(2 hunks)backend/app/src/main/kotlin/io/tolgee/configuration/openApi/OpenApiConfiguration.kt(1 hunks)backend/app/src/main/kotlin/io/tolgee/configuration/openApi/OpenApiGroupBuilder.kt(5 hunks)backend/data/build.gradle(4 hunks)backend/ktlint/build.gradle(2 hunks)backend/security/build.gradle(1 hunks)backend/testing/build.gradle(1 hunks)ee/backend/tests/build.gradle(1 hunks)gradle.properties(1 hunks)settings.gradle(1 hunks)
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-06-11T16:17:35.696Z
Learnt from: cyyynthia
PR: tolgee/tolgee-platform#3126
File: backend/testing/build.gradle:78-78
Timestamp: 2025-06-11T16:17:35.696Z
Learning: The Gradle module `backend/testing` serves as an internal test pseudo-library; therefore, test-scope dependencies such as `org.springframework.boot:spring-boot-starter-test` are intentionally declared with `implementation`, as the module is only consumed on the test classpath and is not part of production artifacts.
Applied to files:
backend/app/build.gradlebackend/testing/build.gradlebackend/data/build.gradleee/backend/tests/build.gradle
🔇 Additional comments (12)
backend/security/build.gradle (1)
99-100: Good call importing junit-bom to standardize JUnit versions across the module.Because it’s imported after the Spring Boot BOM, it will override Boot-managed JUnit versions as intended.
ee/backend/tests/build.gradle (1)
81-84: Consistent junit-bom import—nice.This keeps test dependencies in sync. Since junit-bom is listed after the Boot BOM, its versions will take precedence where relevant.
backend/ktlint/build.gradle (1)
14-15: Adding io.spring.dependency-management here is sensible.This enables the junit-bom import below to manage JUnit across tests in this module.
settings.gradle (2)
78-79: Consistency of jakarta.mail exclusions and alias verifiedAll modules importing
spring-boot-starter-mailalready exclude the transitiveorg.eclipse.angus:jakarta.mailand explicitly depend onlibs.jakartaMail(v2.0.4):
- backend/testing/build.gradle (lines 77–80)
- backend/data/build.gradle (lines 105–108)
- backend/app/build.gradle (lines 87–90)
No further changes required.
74-75: Verify Azure Blob starter compatibility with Spring Boot
The Azure Blob starter version 5.23.0 targets Spring Boot 3.0.x–3.3.x (see Azure Spring Versions Mapping¹). If your project is on Spring Boot 3.4.x, you’ll need to either:
- Downgrade to Spring Boot 3.3.x (or earlier in the 3.x line), or
- Upgrade to a Spring Cloud Azure starter version that officially supports 3.4.x (e.g., 5.24.0+).
Please confirm your Spring Boot version aligns with this range.
backend/app/build.gradle (2)
131-131: httpclient5 bumped to 5.4.4 — looks goodNo obvious breaking behavior expected for common use. Keep an eye on any explicit httpcore5 pins elsewhere.
87-91: Explicit Jakarta Mail via version catalog — confirmed and approvedConfirmed that
libs.jakartaMailis defined exactly once in settings.gradle (line 78). Excluding the transitivejakarta.mailand relying on the version-catalog entry centralizes versioning and avoids drift. LGTM.backend/testing/build.gradle (1)
77-81: Explicit Jakarta Mail in testing module — consistent with app/data changesExcluding the starter’s transitive and adding libs.jakartaMail keeps the test pseudo-library aligned with the project-wide approach. Matches the team’s pattern of using implementation for test deps in this module.
backend/data/build.gradle (4)
105-109: Explicit Jakarta Mail — consistent and clearSame as other modules; this should prevent version mismatches through transitive resolution.
172-172: DataFaker updated to 2.4.4 — request verification for API changes in testsThe 2.x line introduced a few renames in the past. Compilation will catch most issues, but please verify any custom providers/locale usages.
185-185: Adding woodstox-core 7.1.1 — LGTMExplicit StAX impl can improve XML perf and stability. Watch for any duplicate StAX provider warnings at runtime (rare).
248-248: Verify JUnit BOM alignment with Spring Boot’s BOM
Bringing in JUnit BOM 5.11.4 is fine, but importing two BOMs (Boot + JUnit) can subtly shift versions. Please run dependency-insight across each module to confirm that all JUnit artifacts resolve to 5.11.4:• ./gradlew dependencyInsight --configuration testRuntimeClasspath --dependency org.junit.jupiter:junit-bom
• ./gradlew dependencyInsight --configuration testRuntimeClasspath --dependency org.junit.jupiter:junit-jupiter-engine
• ./gradlew dependencyInsight --configuration testRuntimeClasspath --dependency org.junit.jupiter:junit-jupiter-paramsEnsure there’s no unexpected version drift or overrides by Spring Boot’s BOM.
| imports { | ||
| mavenBom org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES | ||
| mavenBom 'org.junit:junit-bom:5.11.4' | ||
| } |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Unify junit-bom version declaration across modules.
Same suggestion as in other modules: extract 5.11.4 to a shared property or version catalog entry to prevent accidental divergence.
To confirm consistent usage across the repo, you can run:
🏁 Script executed:
#!/bin/bash
# List all places where junit-bom is imported and show surrounding lines
rg -nC2 -g '!**/build/**' -P "mavenBom\s+['\"]org\.junit:junit-bom" || trueLength of output: 1289
Unify JUnit BOM version across modules
The JUnit BOM is hard-coded to 5.11.4 in multiple Gradle scripts, which risks accidental divergence. Please extract this version into a shared property or a version catalog entry so updates remain centralized.
Files & locations to update:
- backend/security/build.gradle (line 99)
- backend/ktlint/build.gradle (line 54)
- backend/data/build.gradle (line 248)
- ee/backend/tests/build.gradle (line 83)
Suggested change (example):
- mavenBom 'org.junit:junit-bom:5.11.4'
+ mavenBom "org.junit:junit-bom:${junitBomVersion}"Define junitBomVersion in your root gradle.properties or in a version catalog to keep versioning consistent.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| imports { | |
| mavenBom org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES | |
| mavenBom 'org.junit:junit-bom:5.11.4' | |
| } | |
| imports { | |
| mavenBom org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES | |
| mavenBom "org.junit:junit-bom:${junitBomVersion}" | |
| } |
🤖 Prompt for AI Agents
In ee/backend/tests/build.gradle around lines 81 to 84 (and also update
backend/security/build.gradle line 99, backend/ktlint/build.gradle line 54,
backend/data/build.gradle line 248), the JUnit BOM version is hard-coded to
5.11.4; extract this into a single shared version and reference it from each
build file. Add a junitBomVersion entry in the root gradle.properties (or add an
entry in the version catalog) and then replace the literal
'org.junit:junit-bom:5.11.4' in each listed build.gradle with a reference to the
shared property (or the catalog alias) so all modules read the BOM version from
one centralized location. Ensure syntax matches your chosen approach (properties
vs. version catalog) and update any buildscript or plugin blocks that declare
the BOM accordingly.
| springBootVersion=3.4.8 | ||
| springDocVersion=2.8.9 |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Version bumps look aligned; please double-check cross-compatibility (Boot 3.4.8, Kotlin 2.1.20, springdoc 2.8.9).
These look reasonable together, but to be safe, confirm official support intersections (Kotlin 2.1.x with Spring Boot 3.4.x; springdoc 2.8.9 with Boot 3.4.x).
Also applies to: 11-11
🌐 Web query:
Does Spring Boot 3.4.8 officially support Kotlin 2.1.x?
💡 Result:
Short answer: No — Spring Boot 3.4.8 does not officially ship Kotlin 2.1.x as its managed/official Kotlin version. Spring Boot 3.4.x still manages a Kotlin 1.9.x series; upgrade to Kotlin 2.x is being tracked as a change for the next major Spring Boot line (4.x / Spring Framework 7), not for the 3.4.x line. (docs.springframework.org.cn, github.com)
What that means in practice
- Officially managed/verified Kotlin version: Spring Boot 3.4.x (including 3.4.8) uses the 1.9.x series as the BOM-managed Kotlin version. (docs.springframework.org.cn)
- You can still try to compile/run a Boot 3.4.8 app with Kotlin 2.1.x by overriding the Kotlin Gradle/Maven plugin and the kotlin.version, and many people report it can work — but it is not the BOM-managed / officially supported configuration and you may encounter binary-metadata incompatibilities between libraries compiled with different Kotlin major versions. Example: module-compiled-with-incompatible-Kotlin errors when mixing artifacts compiled for Kotlin 2.1 and a project expecting 1.9 metadata. (github.com)
If you want to proceed anyway
- For Gradle, set the kotlin plugin version to 2.1.x in your plugins block (or set kotlin.version property and align plugins), and ensure org.jetbrains.kotlin:kotlin-stdlib / kotlin-reflect match.
- For Maven, set the kotlin.version property and the kotlin-maven-plugin to 2.1.x.
- Test thoroughly (compile/test runtime), and watch for libraries you depend on that were compiled with a different Kotlin major version — those are the usual source of failures.
If you want “official”/managed Kotlin 2.x support
- Plan to use Spring Boot 4.x (once available for your environment), since the Spring team has targeted Kotlin 2.x upgrades for the next major Boot/Spring Framework line. (github.com)
If you’d like, tell me:
- whether you’re using Gradle or Maven and I can show the exact changes to force Kotlin 2.1.x in a Boot 3.4.8 project, and
- any particular libraries you depend on so I can flag likely compatibility risks.
Citations:
- 1: https://docs.springframework.org.cn/spring-boot/reference/features/kotlin.html?utm_source=chatgpt.com
- 2: https://github.com/spring-projects/spring-boot/issues/38539?utm_source=chatgpt.com
- 3: https://docs.springframework.org.cn/spring-boot/reference/features/kotlin.html?utm_source=chatgpt.com
- 4: https://github.com/square/retrofit/issues/4381?utm_source=chatgpt.com
- 5: https://github.com/spring-projects/spring-boot/issues/38539?utm_source=chatgpt.com
🌐 Web query:
Is springdoc-openapi 2.8.9 compatible with Spring Boot 3.4.x?
💡 Result:
Short answer: Yes — springdoc-openapi 2.8.9 is compatible with Spring Boot 3.4.x.
Why / details
- The official springdoc compatibility matrix lists Spring Boot 3.4.x as being built against springdoc-openapi 2.7.x–2.8.x, so any 2.8.x release (including 2.8.9) is intended for use with 3.4.x. (springdoc.org)
- The springdoc v2.8.9 release is available (v2.8.9 is a 2.8.x patch). The release notes also show the project later aligned with Spring Boot 3.5.0 in that patch, but that does not remove support for 3.4.x; nevertheless you should run your app’s tests when mixing minor versions. (github.com, springdoc.org)
Practical notes / recommendations
- Use the 2.8.x line (2.8.9) when running Spring Boot 3.4.x; the starter BOM and dependency examples on the springdoc site use 2.8.9. (springdoc.org)
- If you plan to build native images (GraalVM), be aware there have been some native-image related bugs reported around 3.4.x / early 2.8.x releases that were fixed in later 2.8 patches — test native builds specifically. (github.com)
If you want, tell me:
- which exact Spring Boot 3.4.x microversion you’re using (e.g. 3.4.1 / 3.4.5), and whether you need WebMVC or WebFlux, plus whether you build native images — I can give a tailored dependency snippet and highlight any known issues for that combo.
Citations:
- 1: https://springdoc.org/modules.html?utm_source=chatgpt.com
- 2: https://github.com/springdoc/springdoc-openapi/releases
- 3: https://springdoc.org/modules.html?utm_source=chatgpt.com
- 4: https://springdoc.org/?utm_source=chatgpt.com
- 5: https://github.com/springdoc/springdoc-openapi/issues/2870?utm_source=chatgpt.com
Ensure Kotlin version alignment with Spring Boot 3.4.8; springdoc-openapi bump is safe
Spring Boot 3.4.x still manages Kotlin 1.9.x—not 2.1.x—so overriding to Kotlin 2.1.20 in a 3.4.8 project is unsupported by the BOM and may introduce binary-metadata incompatibilities. If you intend to proceed with Kotlin 2.1.20, you must:
- Override the Kotlin Gradle/Maven plugin version to 2.1.20 and align
kotlin-stdlib/kotlin-reflectto 2.1.20 - Run your full test suite (including native-image builds, if used) to catch any runtime or metadata errors
Otherwise, revert kotlinVersion back to a 1.9.x release to stay on the officially supported path.
The bump to springdoc-openapi 2.8.9 is compatible with Boot 3.4.x (2.7.x–2.8.x line), but you should still validate with your integration or native-image tests.
Action items:
- gradle.properties line 11: confirm or revert
kotlinVersion=2.1.20 - gradle.properties lines 2–3: (
springBootVersion=3.4.8,springDocVersion=2.8.9) – springdoc change is OK; ensure tests pass after bump
🤖 Prompt for AI Agents
In gradle.properties around lines 2–3 (springBootVersion=3.4.8,
springDocVersion=2.8.9) and check line 11 for kotlinVersion, the issue is Kotlin
2.1.20 is not compatible with Spring Boot 3.4.x; either revert kotlinVersion to
a 1.9.x release to match the Boot BOM or, if you must use 2.1.20, explicitly
override the Kotlin Gradle/Maven plugin and align kotlin-stdlib and
kotlin-reflect to 2.1.20, then run the full test suite (including native-image
builds) to validate; keep springDocVersion=2.8.9 (it's compatible) but run
integration/native tests after the change.
|
Updated dependencies com.nimbusds:nimbus-jose-jwt:10.0.2 |
## [3.127.3](v3.127.2...v3.127.3) (2025-08-15) ### Bug Fixes * Update dependencies ([#3204](#3204)) ([f939f72](f939f72))
Summary by CodeRabbit