Fix #244 issue

[TENIOS]

Proposed Changes

• Uncomment JUnit dependency scope;
• Exclude Example.java file from build.

Fixes #244 issue.

If the presence of the Example.java file in build is mandatory, then I can revert this change.

[AppVeyorBot]

✅ Build minestat 1.0.0.475 completed (commit 1bf185c0d8 by @TENIOS)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[ldilley]

Thank you for submitting these changes, @TENIOS.

[TENIOS]

@ldilley, thank you for accepting the changes. How soon will they be published on the Maven Repository?

[ldilley]

You are welcome. Maven Central does not allow overwriting an existing JAR file of the same name. Since MineStat-3.0.6.jar is currently published, redeploying the same version cannot replace the instance on the remote. The version would need to be incremented and a new JAR built. Since nothing changed in the Java code, it did not seem prudent to update the version. As a result, the Maven package would not be updated until the next version change. Did you need an updated package built for you in the interim? I can make a copy available somewhere for download if necessary.

[TENIOS]

You are welcome. Maven Central does not allow overwriting an existing JAR file of the same name. Since MineStat-3.0.6.jar is currently published, redeploying the same version cannot replace the instance on the remote. The version would need to be incremented and a new JAR built. Since nothing changed in the Java code, it did not seem prudent to update the version. As a result, the Maven package would not be updated until the next version change. Did you need an updated package built for you in the interim? I can make a copy available somewhere for download if necessary.

You are correct, my changes do not include any code changes. But these changes affect the final build file. If you look at pom.xml on Maven Central you will see that it doesn't contain these changes so my fix doesn't make any sense until someone makes changes to the code so you can publish a new version. In addition it uses previous versions of dependencies, for example gson has version 2.10.1 when it was updated to version 2.11.0. Most projects use this practice to update dependencies if they contain a vulnerability. This does not mean that you need to publish a new version for every minor change or change in the dependency version. This usually happens after the number of changes has accumulated for a patch.

I think this is a weighty change because it adds a test dependency to the project that ends up in the final build where it doesn't belong. I didn't mean to make you look unprofessional. I apologize for the inconvenience.

I'm going to make a few more minor changes, including to the code. I hope you will publish them.

[TENIOS]

#246

[ldilley]

You are correct, my changes do not include any code changes. But these changes affect the final build file. If you look at pom.xml on Maven Central you will see that it doesn't contain these changes so my fix doesn't make any sense until someone makes changes to the code so you can publish a new version.

Other than a slightly larger file size (14,505 versus 13,814 bytes), are you experiencing build and/or runtime errors using the current v3.0.6 JAR available from Maven Central? I am trying to understand the impact.

In addition it uses previous versions of dependencies, for example gson has version 2.10.1 when it was updated to version 2.11.0. Most projects use this practice to update dependencies if they contain a vulnerability. This does not mean that you need to publish a new version for every minor change or change in the dependency version. This usually happens after the number of changes has accumulated for a patch.

The published v3.0.6 JAR is dependent on a Gson that is only 1 version behind the latest release at this time (https://github.com/google/gson/releases). Is there anything in the v2.11.0 changelog at the aforementioned link that stands out to you as a significant fix or feature we could leverage in this project?

Regarding vulnerabilities, have a look at https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=gson and https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=junit. CVE-2022-25647 pertains to Gson <v2.8.9 (we're at v2.10.1) and CVE-2020-15250 is for JUnit >=4.7 and <4.13.1 (we're at v4.13.2).

I think this is a weighty change because it adds a test dependency to the project that ends up in the final build where it doesn't belong. I didn't mean to make you look unprofessional. I apologize for the inconvenience.

I'm going to make a few more minor changes, including to the code. I hope you will publish them.

That test dependency is quite small from a storage standpoint. With regard to your unprofessional comment, I never interpreted your text as such. I also do not consider your request as an inconvenience. I am just attempting to better understand the urgency to deploy a new version given my replies above. I'll take a look at PR #246 now and provide feedback shortly.

[ldilley]

I have reviewed, modified, and merged PR #246. Changes to comments and spacing along with rearranging the contents of pom.xml do not yield any functional difference. I am still not seeing a compelling reason to deploy a new version at this point.