Bump plugin from 4.31 to 4.33

[dependabot]

Bumps plugin from 4.31 to 4.33.

Release notes

Sourced from plugin's releases.

4.33

🚀 New features and improvements

• Bump Jenkins version to 2.249; clean up plugin parent POM (#480) @​basil

📦 Dependency updates

• Bump incrementals-maven-plugin from 1.2 to 1.3 (#483) @​dependabot
• Bump frontend-maven-plugin from 1.12.0 to 1.12.1 (#484) @​dependabot
• Bump incrementals-enforcer-rules from 1.2 to 1.3 (#485) @​dependabot
• Bump maven-site-plugin from 3.9.1 to 3.10.0 (#481) @​dependabot

👻 Maintenance

• Sort a few dependencies in the dependencyManagement section (#482) @​basil
• Adopt POM Code Convention (#479) @​basil

4.32

💥 Compatibility warning

The Enforcer update in #456 triggers new errors in many plugins involving provided scope. If a Dependabot update produces a build failure mentioning RequireUpperBoundDeps, first update the plugin BOM to 1090.v0a_33df40457a_ or later (which necessitates updating the minimum Jenkins version to 2.289.1 or later), then rebase the Dependabot update against the result with @dependabot rebase. If you cannot update the plugin BOM to 1090.v0a_33df40457a_ or later, then exclude the problematic dependency trail to satisfy Enforcer.

You will also need to switch annotations from javax.annotation.* to edu.umd.cs.findbugs.annotations.* equivalents as in jenkinsci/jenkins#4604.

🚨 Removed

• Remove JSR 305 annotations (#467) @​basil

🚀 New features and improvements

• Get annotation versions from core BOM (#470) @​basil
• Ban vulnerable versions of Apache Log4j 2 (#465) @​basil

🐛 Bug fixes

• Work around issues on 2.222.x, 2.235.x, and 2.289.x (#477) @​basil
• Exclude javax.servlet:servlet-api (#469) @​basil

📦 Dependency updates

• Bump Extra Enforcer rules from 1.3 to 1.5.1 (#471) @​Vlatombe
• Bump Jenkins test harness from 1645.vf98fc478f846 to 1674.v3b8b1441e939 (#476, #464) @​basil
• Bump Maven HPI plugin from 3.20 to 3.22 (#475, #460) @​dependabot
• Bump Mockito from 4.0.0 to 4.2.0 (#474, #459) @​dependabot
• Bump Access modifier from 1.25 to 1.27 (#473) @​basil
• Bump SpotBugs annotations from 4.4.2 to 4.5.1 (#466, #454) @​dependabot
• Bump Mock Repository Manager Maven plugin from 1.2.0 to 1.3.0 (#463) @​dependabot
• Bump GMavenPlus plugin from 1.13.0 to 1.13.1 (#461) @​dependabot
• Bump Maven Enforcer plugin from 3.0.0-M3 to 3.0.0 (#456) @​basil

... (truncated)

Commits

• 875cb59 [maven-release-plugin] prepare release plugin-4.33
• 6bf6ae8 Bump incrementals-maven-plugin from 1.2 to 1.3 (#483)
• 4c577ad Bump frontend-maven-plugin from 1.12.0 to 1.12.1 (#484)
• d1250ce Bump incrementals-enforcer-rules from 1.2 to 1.3 (#485)
• 112c708 Sort a few dependencies in the dependencyManagement section (#482)
• 05c9e09 Merge pull request #480 from basil/cleanup
• 8347830 Bump Jenkins version to 2.249; clean up plugin parent POM
• cd17304 Bump maven-site-plugin from 3.9.1 to 3.10.0 (#481)
• 0955f6e Adopt POM Code Convention (#479)
• ce864e3 [maven-release-plugin] prepare for next development iteration
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[jglick]

problem with jaxb-api

[basil]

problem with jaxb-api

But just in test scope, so can be easily worked around with:

diff --git a/pipeline-model-definition/pom.xml b/pipeline-model-definition/pom.xml
index f6df95db..5799f8e5 100644
--- a/pipeline-model-definition/pom.xml
+++ b/pipeline-model-definition/pom.xml
@@ -233,6 +233,12 @@
       <groupId>com.jcabi</groupId>
       <artifactId>jcabi-matchers</artifactId>
       <scope>test</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>javax.xml.bind</groupId>
+          <artifactId>jaxb-api</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>

[basil]

Kind of interesting that recent versions of XStream declare a provided dependency on jaxb-api:

+-org.jenkinsci.plugins:pipeline-model-definition:1.9.4-SNAPSHOT
  +-com.jcabi:jcabi-matchers:1.5.3 [test]
    +-javax.xml.bind:jaxb-api:2.2.12 [provided]
and
+-org.jenkinsci.plugins:pipeline-model-definition:1.9.4-SNAPSHOT
  +-org.jenkins-ci.main:jenkins-core:2.321 [provided]
    +-com.thoughtworks.xstream:xstream:1.4.18 [provided] (managed) <-- com.thoughtworks.xstream:xstream:1.4.18 [provided]
      +-javax.xml.bind:jaxb-api:2.3.1 [provided]

We don't actually ship this JAR, and we have a separate plugin for JAXB, so perhaps we should exclude jaxb-api from XStream in core to reflect actual practice. This would likely prevent some awkward Enforcer errors in the future.

[jglick]

Anyway, as seen in e.g. #472 tests are broken in CI for this plugin, so it would take some extra effort to process the PR queue.

[basil]

Anyway, as seen in e.g. #472 tests are broken in CI for this plugin, so it would take some extra effort to process the PR queue.

But they pass in BOM tests, so not that much extra effort I would think. I think the problem is basically the 6 tests that are excluded in BOM's excludes.txt, which seem to require more memory/CPU than are available in container agents.

[jglick]

seem to require more memory/CPU

Maybe should just be @Ignored or something.

[basil]

Maybe should just be @Ignored or something.

Let's see if #477 passes.

[dependabot]

A newer version of org.jenkins-ci.plugins:plugin exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

[basil]

@dependabot rebase

[dependabot]

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

[car-roll]

closed in favor of #503

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.