Switch to OpenFeign fork of Querydsl #3335
Comments
spring-projects-issues
added
the
status: waiting-for-triage
odrotbohm
changed the title
|
We've been observing Querydsl evolution closely as we're interested in surfacing dependency upgrades towards our users. We do not plan to upgrade towards the new coordinate with the emergence of a fork with questionable design decisions (removal of the BOM, introduction of circular dependencies). Have you also seen that the original Querydsl project has shipped a 5.1 release? We continue staying with Querydsl devs in touch to figure out the best way forward. There's a strong community around Querydsl. |
mp911de
added
status: declined
|
Yes, I was about to come point out that someone has been spurred into at least some action back on the original. Ideally it actually starts getting commits again.
The BOM is not removed. They generate it at build time.
I don't see where they have done that. Querydsl already has dependencies on Spring projects, if that's what you mean.
That's interesting, because they don't stay in touch with anyone else, which is why this fork was made. |
It did not. The only commits in the QueryDSL repo have been from dependabot. They have made one release (5.1) in the last four years. OpenFeign have made twelve releases on both the 5.x (javax) and 6.x (jakarta) branches in the last six months. I would like Spring to reconsider, as all the reasons previously given appear to be invalid. |
|
Is there any reconsideration of this? It's been 8 months since Openfeign fork was created. Do we have to wait and see this more until the original is active? |
|
It's worth mentioning again that the OpenFeign fork has been extremely active and they appear to be proper stewards of the project. The "official" QueryDSL repo on the other hand hasn't had any real legitimate activity in 2 years. I currently work on a team that has made heavy use of QueryDSL and the concern has been that QueryDSL was "dead". OpenFeign's work is promising but it would go a long ways if Spring also acknowledged that it was the path forward. |
@OrangeDog well, actually they communicated with me once. To say they weren't willing to take my fork changes as it was too big to review and they were unwilling to maintain code they didn't review. That's super rich, as they are not willing to maintain existing code either. |
|
With no active resolution or known plan for the original code repository of QueryDSL to resolve CVE-2024-49203, this should be heavily considered moving forward. And appreciate your work @velo resolving this CVE in the new branch. |
The original QueryDSL's last release was July 2021, and last commit was October 2022.
The OpenFeign project have forked it and have made an effort to update it.
https://github.com/OpenFeign/querydsl
Spring should consider moving to this new fork.
Version 6 would match the other dependencies (Hibernate, in particular) used by Spring 6.
(from spring-projects/spring-boot#39316)
The text was updated successfully, but these errors were encountered: