Clojurians Log v2

Clojure programming

Channels

# 100-days-of-code # aatree # admin-announcements # adventofcode # ai # alda # aleph # all-the-channels # announcements # arachne # architecture # asami # atlanta-clojurians # atom-editor # autochrome-github # avi # aws # aws-lambda # babashka # babashka-sci-dev # bangalore-clj # beginners # berlin # biff # bigdata # bitcoin # boot # boot-dev # boulder-clojurians # braid-chat # braveandtrue # brevis # bristol-clojurians # business # calva # capetown # carry # cbus # cestmeetup # chestnut # chlorine-clover # cider # circleci # clara # clj-commons # cljdoc # cljfx # clj-http # clj-kondo # clj-on-windows # cljs-dev # cljs-experience # cljsfiddle # cljsjs # cljsrn # cljtogether # clojars # clojure # clojure-android # clojure-argentina # clojure-art # clojure-austin # clojure-australia # clojure-austria # clojure-bangladesh # clojure-bay-area # clojure-beijing # clojure-belgium # clojure-berlin # clojure-boston # clojure-brasil # clojurebridge # clojurebridge-ams # clojure-canada # clojure-chennai # clojure-chicago # clojure-china # clojure-colombia # clojure-conj # clojurecup # clojure-czech # clojured # clojure-denmark # clojure-denver # clojure-derby # clojuredesign-podcast # clojure-dev # clojure-dusseldorf # clojure-ecuador # clojure-egypt # clojure-estonia # clojure-europe # clojure-filipino # clojure-finland # clojure-france # clojure-gamedev # clojure-germany # clojure-greece # clojure-guangzhou # clojure-hamburg # clojure-hk # clojure-houston # clojure-hungary # clojure-india # clojureindia # clojure-indonesia # clojure-ireland # clojure-israel # clojure-italy # clojure-japan # clojure-kc # clojure-korea # clojure-losangeles # clojure-madison # clojure-mexico # clojure-miami # clojure-mk # clojure-mke # clojure-morsels # clojure-my # clojure-new-zealand # clojure-nl # clojure-nlp # clojure-norway # clojure-poland # clojure-portugal # clojure-provo # clojure-quebec # clojureremote # clojure-romania # clojure-russia # clojure-sanfrancisco # clojurescript # clojurescript-ios # clojure-sdn # clojure-seattle # clojure-serbia # clojure-sg # clojure-shanghai # clojure-spain # clojure-spec # clojuresque # clojure-survey # clojure-sweden # clojure-switzerland # clojure-taiwan # clojure-turkiye # clojure-uk # clojure-ukraine # clojureverse-ops # clojurewerkz # clojurewest # clojurex # clojure-za # clojurian-chat-app # clojutre # cloverage # cloxp # clr # code-art # code-reviews # community-development # component # conf-proposals # conjure # consulting # contributions-welcome # copenhagen-clojurians # core-async # core-logic # core-matrix # core-typed # cryogen # crypto # css # cursive # cz-clojure # d2q # datacrypt # datahike # datalevin # datalog # data-oriented-programming # data-science # datascript # datavis # dato # datomic # defnpodcast # deps-new # depstar # devcards # devops # dirac # docker # docs # domino-clj # duct # dunaj # eastwood # editors # emacs # error-message-catalog # etaoin # ethereum # euroclojure # events # exercism # expound # figwheel # figwheel-main # flambo # fulcro # funcool # functionalprogramming # funimage # garden # ghostwheel # girouette # gis # google-cloud # gorilla # graalvm # graalvm-mobile # graclj # graphql # gratitude # gsoc # hammock-driven-dev # helix # heroku # hispano # holy-lambda # honeysql # hoplon # hugsql # humor # hypercrud # hyperfiddle # immutant # improve-getting-started # incanter # indycljs # inf-clojure # instaparse # integrant # interceptors # interop # introduce-yourself # iot # iotivity # ipfs # jackdaw # jaunt # java # javascript # javelin # jobs # jobs-discuss # jobs-rus # joker # jukebox # juxt # jvm # kaocha # keechma # kekkonen # keyboards # klipse # kosmos # lambdaisland # ldnclj # ldnproclodo # lein-figwheel # leiningen # liberator # liquid # livestream # local-first-clojure # london-clojurians # lsp # luminus # lumo # mail # malli # mathematics # meander # melbourne # membrane # mental-health # microservices # mid-cities-meetup # midje # minecraft # minimallist # missionary # monads # mount # music # new-channels # new-clojure # nextjournal # nginx # nrepl # numerical-computing # nyc # observability # off-topic # om # om-next # onyx # other-languages # other-lisps # overtone # pamela # parinfer # pathom # pedestal # perun # philosophy # phzr # planck # plastic # play-clj # podcasts # polylith # portal # portkey # portland-or # powderkeg # practicalli # precept # prelude # programming-beginners # project-updates # proletarian # proton # protorepl # pulsar # pure-frame # qa # qlkit # quil # random # rdf # react # reactive # reading-clojure # reagent # reclojure # re-frame # reitit # releases # remote-jobs # respo # rethinkdb # reveal # rewrite-clj # ring # ring-swagger # robots # rum # schema # sci # sfcljs # shadow-cljs # _silence # sim-testing # sioux-falls # slack-help # sneer # sneer-br # spacemacs # specmonstah # specter # speculative # spirituality-ethics # sql # startup-in-a-month # sydney # test200 # test-check # testing # thejaloniki # timbre # tmp-json-parsing # tools-build # tools-deps # trading # tree-sitter # uncomplicate # unrepl # untangled # utah-clojurians # videos # vim # vrac # vscode # wasm # web-security # windows # xtdb # yada # yleinen

Apps

tools-deps

Discuss tools.deps.alpha, tools.build, and the clj/clojure command-line scripts! See also #depstar #clj-new

2021-03-09T11:21:28.200Z

Do you know how to auth with

<https://my.datomic.com/repo>

with deps without setting the $HOME/.maven config ?

alexmiller 2021-03-09T13:37:28.200900Z

I don’t think you can

borkdude 2021-03-09T14:21:18.201500Z

Just some feedback: I've had the cognitect test-runner problem several times again today, and I'm pretty sure I didn't interrupt anything

alexmiller 2021-03-09T14:35:11.201700Z

noted, update coming soon

alexmiller 2021-03-09T14:36:35.202400Z

I am also wondering if there is some issue with the whole shelling out process not running to completion or something

alexmiller 2021-03-09T14:37:07.203Z

are you running this in some way such that ~/.gitlibs doesn't exist each time?

borkdude 2021-03-09T14:42:24.203800Z

I am sometimes just rm -rf ~/.gitlibs (because of problems) and then when I try again, everything works like expected. but if I go to another project which uses a different SHA of the test runner, I run into this problem

zane 2021-03-09T16:59:15.205700Z

I recall there’s a way to get clj / clojure to include its own dependencies in -Stree, but I don’t remember what it was. Could someone remind me?

seancorfield 2021-03-09T17:16:38.206600Z

@zane If you use -Sdeps, they'll be included in -Stree I believe. If you use -X:deps tree they won't, as I recall.

zane 2021-03-09T17:31:56.206800Z

Hmm. Like so? All I’m seeing is spec.

❯ clojure -Stree -Sdeps '{}'
org.clojure/clojure 1.10.2
  . org.clojure/spec.alpha 0.2.194
  . org.clojure/core.specs.alpha 0.2.56

seancorfield 2021-03-09T17:36:21.207Z

Oh, I misread your question. clj/`clojure` are shell scripts so they do not have dependencies, but what I think you mean is you want to see the tools.deps.alpha stuff?

(! 843)-&gt; clojure -Stree -A:deps
org.clojure/clojure 1.10.2
  . org.clojure/spec.alpha 0.2.194
  . org.clojure/core.specs.alpha 0.2.56
org.clojure/tools.deps.alpha 0.10.889
  . org.apache.maven.resolver/maven-resolver-api 1.6.1
  . org.apache.maven.resolver/maven-resolver-spi 1.6.1
    . org.apache.maven.resolver/maven-resolver-api 1.6.1
  . org.apache.maven.resolver/maven-resolver-impl 1.6.1
    . org.apache.maven.resolver/maven-resolver-api 1.6.1
    . org.apache.maven.resolver/maven-resolver-spi 1.6.1
    . org.apache.maven.resolver/maven-resolver-util 1.6.1
    . org.apache.commons/commons-lang3 3.8.1
    . org.slf4j/slf4j-api 1.7.30 :newer-version
  . org.apache.maven.resolver/maven-resolver-util 1.6.1
... and a screenful more ...

zane 2021-03-09T17:48:01.207200Z

Probably! This is that issue I mentioned before where a third-party security scan is flagging Jetty as having vulnerabilities.

zane 2021-03-09T17:51:16.207400Z

I’m trying to figure out which version of Jetty winds up being included in the .jars the clj and clojure shell scripts rely on.

zane 2021-03-09T17:51:25.207600Z

I think what you posted above does what I want.

zane 2021-03-09T17:54:12.207800Z

The vulnerability they’re worried about was fixed in org.eclipse.jetty_jetty-io 9.4.36, but alas it looks like tools.deps still relies on org.eclipse.jetty/jetty-io 9.4.24.v20191120.

alexmiller 2021-03-09T18:02:18.208Z

the chain of deps down to that can be upgraded to address that, just hasn't yet

alexmiller 2021-03-09T18:02:31.208200Z

or that is, it has been, but tools.deps isn't using it yet

alexmiller 2021-03-09T18:02:39.208400Z

but I will get that in the next build

seancorfield 2021-03-09T18:04:06.208600Z

@zane That vulnerability is in the server or the client portion of that library? ISTR that t.d.a uses only the non-vulnerable part of Jetty (we had this discussion already, didn't we?)

alexmiller 2021-03-09T18:08:46.208800Z

I don't think it's an issue, but upgrading regardless

alexmiller 2021-03-09T18:09:06.209Z

committed, will be in next build

zane 2021-03-09T18:09:44.209200Z

It’s definitely not a real issue, but thank you all the same @alexmiller!

zane 2021-03-09T18:10:55.209400Z

@seancorfield > That vulnerability is in the server or the client portion of that library? Server. > we had this discussion already, didn’t we? We sure did. Our partner’s security team keeps flagging this issue even though in the past they’ve accepted our explanation that our software doesn’t use Jetty’s web server. 😩

seancorfield 2021-03-09T18:11:40.209600Z

Sorry 😞 Some of those security folks can be... a bit intransigent...

zane 2021-03-09T18:15:39.209800Z

Yeah, I mean, I understand their position but it’s definitely a hassle.