Description

Some third-party JAR dependencies in the current project are outdated and may pose security risks, performance issues, or compatibility challenges. We need to systematically identify and update these dependencies while ensuring project stability during the upgrade process. This issue will serve as a centralized tracker for all related PRs and welcomes contributions from the community.

Goals

1. Identify all outdated/inactively maintained dependencies (via mvn versions:display-dependency-updates scans or manual review).
2. Create independent subtasks (child issues) for each dependency requiring updates, labeled with priority (e.g., security-critical, functionality-blocking, low-risk).
3. Submit PRs to update versions incrementally, with the following requirements:
   • Each PR addresses only one dependency update.
   • Include necessary unit/integration test validations.
   • Update relevant documentation (e.g., configuration examples, version notes).
4. Maintain a list of updated dependencies (see comments section below).

How to Contribute?

1. Check the Pending Dependencies List.
2. Comment below to claim a dependency (e.g., "Claiming: com.example:old-lib upgrade from 1.2.3 to 2.0.0").
3. Reference this issue in your PR description (use Closes #123 or Related to #123).

Submitted PRs (Ongoing Updates)

• update log4j version and adjust related dependencies
• migrate from fastjson to fastjson2 across multiple services

Notes

⚠️ Compatibility Checks:

• Document API incompatibilities (e.g., Guava 20→32+) in child issues.
• Prioritize Long-Term Support (LTS) versions.

💡 Collaboration Tips:

• For complex upgrades (e.g., major Spring Framework versions), propose a discussion first.
• Use mvn dependency:tree to analyze transitive dependency conflicts.

Resources

• Communication channels: Mailing List

All contributions are welcome—even updating a single dependency makes a difference! 🚀