Skip to content

Security & dependencies#8

Merged
perNyfelt merged 20 commits intomainfrom
security_dependencies
Dec 16, 2025
Merged

Security & dependencies#8
perNyfelt merged 20 commits intomainfrom
security_dependencies

Conversation

@perNyfelt
Copy link
Member

@perNyfelt perNyfelt commented Dec 16, 2025

This pull request introduces comprehensive improvements to the project's dependency management and publishing documentation, with a focus on security, clarity, and minimizing the dependency footprint. The most important changes include switching to a lighter Apache Tika dependency, adding detailed guides for dependency and publishing best practices, and marking key security and publishing checklist items as complete.

Dependency Management Improvements:

  • Switched from using the full tika-parsers-standard-package and tika-parser-text-module dependencies to just tika-core in gi-common/build.gradle, significantly reducing the size and number of transitive dependencies for MIME type detection.
  • Added a new docs/DEPENDENCIES.md guide that explains the dependency structure, rationale for using tika-core, instructions for adding full Tika parsers if needed, security scanning with OWASP Dependency Check, and best practices for keeping dependencies up to date.

Security and Publishing Documentation:

  • Added a new docs/PUBLISHING.md guide detailing the process for publishing to Maven Central, including Sonatype account setup, GPG signing, credential configuration, release steps, troubleshooting, and CI/CD integration.
  • Updated the TODO.md checklist to mark OWASP Dependency Check integration, Tika dependency documentation, and signing credentials documentation as complete.

Security & dependencies
3c430b9 
- 5.1 Add OWASP Dependency Check plugin to scan for CVEs in transitive dependencies.
- 5.2 Document the Tika dependency impact (100+ transitive deps, ~50MB fat JAR) and consider providing a lighter "minimal" build profile.
- 5.3 Document required signing credentials setup (signing.keyId, sonatypeUsername, sonatypePassword) for publishing.
Copilot AI review requested due to automatic review settings December 16, 2025 22:47
Copilot AI reviewed Dec 16, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request enhances the project's dependency management and documentation by switching to a lightweight Tika dependency, adding comprehensive OWASP security scanning, and providing detailed guides for publishing and dependency management. The changes reduce the project's dependency footprint from ~60MB to ~11-15MB while maintaining full functionality.

Key Changes

  • Replaced heavy Tika parser dependencies with lightweight tika-core (~1MB vs ~50MB)
  • Added OWASP Dependency Check plugin integration for CVE scanning
  • Created comprehensive publishing and dependency management documentation

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
gi-common/build.gradle Removed tika-parsers-standard-package and tika-parser-text-module dependencies, keeping only tika-core for MIME detection
build.gradle Added OWASP Dependency Check plugin with security scanning configuration
docs/PUBLISHING.md New comprehensive guide for Maven Central publishing with GPG setup, credentials management, and CI/CD integration
docs/DEPENDENCIES.md New guide documenting dependency structure, Tika optimization rationale, security scanning, and version compatibility
TODO.md Marked security and dependency-related tasks as complete

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copy link
Contributor

Copilot AI commented Dec 16, 2025

@perNyfelt I've opened a new pull request, #9, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI mentioned this pull request Dec 16, 2025
Merged
perNyfelt and others added 2 commits December 16, 2025 23:57
@perNyfelt
Update docs/DEPENDENCIES.md
4a702e6 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Initial plan
ed4beb9
Copilot AI mentioned this pull request Dec 16, 2025
Merged
Copy link
Contributor

Copilot AI commented Dec 16, 2025

@perNyfelt I've opened a new pull request, #10, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI mentioned this pull request Dec 16, 2025
Merged
Copy link
Contributor

Copilot AI commented Dec 16, 2025

@perNyfelt I've opened a new pull request, #11, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI mentioned this pull request Dec 16, 2025
Merged
Copy link
Contributor

Copilot AI commented Dec 16, 2025

@perNyfelt I've opened a new pull request, #12, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI and others added 12 commits December 16, 2025 22:58
@perNyfelt
Fix DEPENDENCIES.md to accurately reflect CI workflow behavior
33fc340 
Co-authored-by: perNyfelt <13261538+perNyfelt@users.noreply.github.com>
@perNyfelt
Document both file-based and in-memory GPG signing approaches in PUBL…
6d6c76c 
…ISHING.md

Co-authored-by: perNyfelt <13261538+perNyfelt@users.noreply.github.com>
@perNyfelt
Fix GPG secret naming discrepancy in PUBLISHING.md
ddf8fdf 
Co-authored-by: perNyfelt <13261538+perNyfelt@users.noreply.github.com>
@perNyfelt
Update GPG signing docs with modern approach and security improvements
c902fc9 
Co-authored-by: perNyfelt <13261538+perNyfelt@users.noreply.github.com>
@perNyfelt
Clarify GPG key export examples in documentation
1051c15 
Co-authored-by: perNyfelt <13261538+perNyfelt@users.noreply.github.com>
@perNyfelt
Improve CI/CD secret handling in GPG signing examples
ebc5819 
Co-authored-by: perNyfelt <13261538+perNyfelt@users.noreply.github.com>
@perNyfelt
Merge pull request #12 from Alipsa/copilot/sub-pr-8-yet-again
b08b7fa 
Fix GPG secret naming inconsistency in publishing documentation
@perNyfelt
Merge branch 'security_dependencies' into copilot/sub-pr-8-another-one
a0c3395
@perNyfelt
Merge pull request #11 from Alipsa/copilot/sub-pr-8-another-one
463c5bb 
Improve GPG signing documentation security and modernize approach
@perNyfelt
Merge pull request #10 from Alipsa/copilot/sub-pr-8-again
741baf7 
Fix DEPENDENCIES.md CI/CD workflow description
@perNyfelt
Merge branch 'security_dependencies' into copilot/sub-pr-8
a2d66a4
@perNyfelt
Merge pull request #9 from Alipsa/copilot/sub-pr-8
28e4b6b 
Document both file-based and in-memory GPG signing for publishing
@perNyfelt perNyfelt requested a review from Copilot December 16, 2025 23:07
Copilot AI reviewed Dec 16, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

perNyfelt and others added 2 commits December 17, 2025 00:13
@perNyfelt
Update docs/PUBLISHING.md
9471422 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@perNyfelt
Update docs/PUBLISHING.md
3a0f48e 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@perNyfelt perNyfelt merged commit 31f7697 into main Dec 16, 2025
2 checks passed
@perNyfelt perNyfelt deleted the security_dependencies branch December 16, 2025 23:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@perNyfelt