Skip to content

build(deps): secure Dokka Jackson classpath#795

Open
jbeckwith-oai wants to merge 1 commit into
codex/update-dokkafrom
codex/secure-dokka-jackson
Open

build(deps): secure Dokka Jackson classpath#795
jbeckwith-oai wants to merge 1 commit into
codex/update-dokkafrom
codex/secure-dokka-jackson

Conversation

@jbeckwith-oai

Copy link
Copy Markdown
Contributor

Summary

  • align every Jackson module on Dokka-only Gradle configurations to 2.18.9
  • keep the SDK's published Jackson dependency at 2.18.9
  • keep the lower 2.14.0 Jackson compatibility test unchanged

This is stacked on #791, which upgrades the build-only Dokka plugin to 2.1.0 while preserving the existing documentation pipeline and links.

Why

Dokka 2.1.0 declares Jackson 2.15.3. Its Gradle plugin creates Jackson-bearing GFM, HTML, Javadoc, and Jekyll plugin/runtime configurations across the root project and every subproject. In openai-java-core, the SDK compatibility rule also previously forced some of those build-tool configurations down to 2.14.0.

The new rule applies only to configuration names beginning with dokka. A full configuration scan found 110 Jackson-bearing Dokka configurations; all 110 now resolve the complete Jackson family to 2.18.9 with zero mismatches or resolution failures. SDK compile, test, runtime, and publication configurations are outside this rule.

This removes Dokka build-classpath paths for Dependabot alerts 58, 94, 96, 98, and 100. Alerts that also observe the intentional 2.14.0 compatibility-test classpath may remain open; raising that compatibility floor would be a separate downstream-compatibility decision.

Compatibility

  • all four published Maven POMs are byte-for-byte identical to the refreshed build(deps): update Dokka to 2.1.0 #791 parent
  • Gradle module metadata is semantically identical; only regenerated artifact checksums differ
  • production and source JAR entry contents are identical
  • Javadoc JAR entry lists and artifact names are identical
  • the 9,691-file aggregate Javadoc tree is byte-for-byte identical
  • internal Javadoc link references and targets are unchanged
  • every published class remains Java 8 bytecode (class major version 52)
  • Dokka and its Jackson classpath remain build-only and do not appear in published metadata

Validation

  • all 110 Jackson-bearing Dokka configurations resolve only Jackson 2.18.9
  • ./scripts/lint
  • ./scripts/build
  • ./scripts/test
  • ./scripts/detect-breaking-changes origin/codex/update-dokka
  • ./gradlew clean publish -PpublishLocal --no-configuration-cache
  • aggregate Dokka Javadoc generation
  • GFM, HTML, Javadoc, and Jekyll collector/multimodule classpath resolution
  • before/after comparison of POMs, Gradle module metadata, production/source JAR contents, Javadoc entries, aggregate Javadocs, internal links, and class-file versions

@jbeckwith-oai jbeckwith-oai requested a review from a team as a code owner July 16, 2026 01:48
@jbeckwith-oai jbeckwith-oai changed the title fix(deps): secure Dokka Jackson classpath build(deps): secure Dokka Jackson classpath Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant