Could com.ruoyi:ruoyi-common-datasource:3.6.2 drop off redundant dependencies? #36
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi, I found that com.ruoyi:ruoyi-common-datasource:3.6.2’s pom file introduced 36 dependencies. However, among them, 35 libraries (97% have not been used by your project), the redundant dependencies are listed below.
More seriously, 1 redundant dependency contains security vulnerabilities (vulnerable libraries).
1 redundant library has not been maintained by developers for more than 3 years(outdated dependencies).
Reduce these unused dependencies can help prevent introducing bugs/vulnerabilities from dependencies with security vulnerabilities and outdated. Meanwhile, it can minimize the project size. To safely remove redundant dependencies, I constructed a complete call graph (resolved most of Java reflection and dynamic binding) , and validated that they have not been used by the client code.
This PR com.ruoyi:ruoyi-common-datasource:3.6.2 for removing the redundant dependencies have passed the tests.
Best regards
Redundant dependencies
Redundant direct dependencies:
Redundant indirect dependencies:
Redundant direct dependencies inherited from parent pom:
Redundant indirect dependencies inherited from parent pom:
Vulnerable libraries
org.yaml:snakeyaml:1.30 (CVE-2022-25857)
Outdated dependencies
jakarta.annotation:jakarta.annotation-api:1.3.5 (1314 days without maintenance)