How to update versions or add new libraries in micronaut-bom?

[altro3]

Issue description

Hello! Please tell me how to correctly update (and add) the versions of the libraries in the BOM file?

For example, I want to update the version of ElasticSearch in the bom file. I see that the file https://github.com/micronaut-projects/micronaut-core/blob/3.1.x/gradle/libs.versions.toml is version managed-elasticsearch = "7.12.1". But there is a separate project for ElasticSearch - micronaut-elasticsearch. But for elasticsearch there is a separate project and in it in gradle.properties there is also a propsian version - elasticsearchVersion = 7.12.1. Which version will eventually be final in the BOM file if update it in a separate project microanut-elasticsearch?

Also, I would like to ask how to correctly add libraries to the micronaut BOM? For example, elasticsearch uses log4j2 and for correct use of slf4j you need to connect additionally org.apache.logging.log4j:log4j-to-slf4j library. But the version of this library is not in your BOM file and this creates some inconvenience.

Same problem with some slf4j components (org.slf4j: jcl-over-slf4j, org.slf4j: log4j-over-slf4j, org.slf4j: jul-to-slf4j). It would be cool if you could use all these components without worrying about the version (this is done in spring boot).

I also noticed that many of the libraries received updates a long time ago. Some versions have not been updated for over a year (for example caffeine not updated for six months ). What is the mechanism for updating versions in your project?

[ilopmar]

In general, you don't need to modify the version catalog when upgrading a dependency. This only applies to direct dependencies in micronaut-core (like for example Netty). For dependencies in any micronaut module, long story short, we upgrade every dependency version we need in the module, release a new verison of it and then we receive automatically a new PR in core to upgrade the versions.

This is how it works for the Elasticsearch module (for example):

• Upgrade the module as you already did Upgrade to Elasticsearch 7.15.1 and Microanut 3.1.3 micronaut-elasticsearch#246
• We release a new version of the module.
• The bomProperty is the name of the micronaut module that will be updated in core's version catalog. In this case micronautElasticsearchVersion is "converted" to managed-micronaut-elasticsearch and the value is the version of the module we've just released. In this case 4.0.0. This conversion is done to keep compatibility with previous versions of micronaut's bom.
• bomProperties=elasticsearchVersion means that elasticsearchVersion (managed-elasticsearch after the conversion) in core's version catalog will be updated with the value of that property from the module. In this case 7.15.2
• Finally githubCoreBranch=3.2.x means that the upgrade PR will be sent to core's branch 3.2.x

The PR to core is sent automatically as part as the release process, see https://github.com/micronaut-projects/micronaut-elasticsearch/runs/4175916484?check_suite_focus=true#step:17:39

This is the upgrade PR: #6504

As a summary, you only need to modify manually core's version catalog when there is a new micronaut module or when updating a direct dependency in core.

I hope this makes things a little bit clear.

[altro3]

@ilopmar Hi! Thank you for youe help!

So, this answer describes the process of upgrading versions prefixed with managed. It remains to deal with other questions:

1. How to update versions (not managed) correctly, for example, I want to update the caffeine library from version 2.9.1 to 3.0.4. What should I do? Create a pull request or does a bot do it?

2. How to add new libraries to the bom file correctly? For example, slf4j artifacts (org.slf4j:jcl-over-slf4j, org.slf4j:log4j-over-slf4j, org.slf4j:jul-to-slf4j)

3. I saw that you have replaced the testcontainers version with 1.16.2 in micronaut-elasticsearch. So, here the question arises: why are not uniform versions of libraries used in all subprojects? And also: how to correctly update the version of testcontainers in the bom file?

[ilopmar]

Answering your questions:
1.- If you want to upgrade a "core" library like Caffeine I recommend you to open an issue to discuss it. Specially since this seem to be a major version upgrade, so better discuss this before spending time working on it.
2.- We don't include every dependency in our BOM. As before, open an issue to get feedback about it.
3.- Every Micronaut module has it's own release cycle an dependencies. We try to upgrade all of them but it's impossible to keep all of them up-to-date regarding dependencies. For the case of Testcontainers, it is a managed dependency, which means that is it exposed to applications that apply our BOM. This way users don't need to define a version in their applications and worry regarding the selected version will work or not with their specific Micronaut version.
But in the modules is different because we need to wait to use the specific Micronaut version that includes the upgrade to be able to define it without the version. In the case of Elasticsearch module, without defining the version, 1.15.3 was being pulled from the BOM. As I want to use the latest one, I defined it there.

[graemerocher]

Caffeine is currently JARJARed in core into io.micronaut.caffeine (something we need to remove) the managed version of caffeine is defined here https://github.com/micronaut-projects/micronaut-cache/blob/020ff838bd6d9f3c5e2f7d0fb393a8e24fb707c1/gradle.properties#L9

We haven't upgraded to 3.x yet because it is Java 11 only