Openrefine: Update Jython to latest 2.7.2

Generally speaking we should set up tooling to notify us of newer versions of our dependencies (and potentially create a PR to update them). I suspect that might be available for Maven-based projects like ours.

@wetneb Cool! I haven't kept completely up-to-date with Maven3 abilities for that. But sounds useful if Maven can do that for us automatically somehow....

Looks like it can with this: https://www.mojohaus.org/versions-maven-plugin/examples/display-dependency-updates.html

Hmm, but then how to notify? Maybe just do something simple like, part of a Build Failure during CI?
Ah, maybe with Enforcer plugin?
https://stackoverflow.com/questions/17463116/how-to-fail-maven-build-if-newer-version-of-dependency-exists-in-repository

But we don't want to fail every time just because of an outdated library.

Ah, we can generate a report...then send that somewhere...
https://blog.pchudzik.com/201703/how-to-keep-dependencies-up-to-date/

I've used Dependabot for Python dependencies and it looks like there's a Java version too
https://dependabot.com/java/

There's also this vulnerability scanner , but if dependabot's vulnerability scanner is robust enough, we can just use that.

I've done the initial setup. Dependabot's Java/Maven support is still in beta, so we should check the PRs extra carefully. It will limit itself to 5 open PRs until we clear the initial backlog. I haven't looked at the Maven structure in detail, so don't know if we'll need to separately add the subproject pom.xmls, but we should have enough PRs to keep us busy for a little while with the initial setup.

Returning to our original scheduled topic...

The Jython 2.7.2 release was back on March 21, so hopefully any critical bugs have been discovered and I didn't see anything worrying in a quick scan of their issues list for recently submitted bugs. The only potential problem I saw was https://github.com/jythontools/jython/issues/178 but I don't think the JAR within a JAR case applies to our packaging.

2.7.1 is 2 1/2 years old, so this provides a reasonable increment of bug fixes and cleanups, particularly with regard to working the same as CPython.

Agree, I don't think it will be a problem.... BUT, I cannot get our JythonEvaluable tests to even work without causing Maven errors. Are our test classes working for the Jython extension on your side?

Given: mvn verify -f "e:\GitHub Repos\OpenRefine\extensions\jython\pom.xml"

Result:

...
{snip}

[INFO] -------------------------------------------------------
[INFO]  T E S T S
[INFO] -------------------------------------------------------
[INFO] Running TestSuite
[TestNGClassFinder] Warning: Can't link and determine methods of class com.google.refine.jython.JythonEvaluable
[ERROR] Tests run: 2, Failures: 2, Errors: 0, Skipped: 0, Time elapsed: 1.45 s <<< FAILURE! - in TestSuite
[ERROR] testWrappedObjectsHaveAttributes(com.google.refine.jython.JythonAttributeTest)  Time elapsed: 0.017 s  <<< FAILURE!
java.lang.Error:
Unresolved compilation problems:
        Row cannot be resolved to a type
        Row cannot be resolved to a type
        Cell cannot be resolved to a type
        Cell cannot be resolved to a type
        The constructor JythonHasFieldsWrapper(HasFields, Properties) refers to the missing type HasFields
        Evaluable cannot be resolved to a type

        at com.google.refine.jython.JythonAttributeTest.testWrappedObjectsHaveAttributes(JythonAttributeTest.java:34)

I've done the initial setup. Dependabot's Java/Maven support is still in beta, so we should check the PRs extra carefully. It will limit itself to 5 open PRs until we clear the initial backlog. I haven't looked at the Maven structure in detail, so don't know if we'll need to separately add the subproject pom.xmls, but we should have enough PRs to keep us busy for a little while with the initial setup.

@tfmorris: this looks very nice and handy! Thanks for this, it can really help and make things easier. Kudo.

Regards,
Antoine