3.5.0 introduces javax.annotation through shrinkwrap 2.0.0-beta-2

[evandongen]

Describe the bug

In our project we use the maven enforcer to ban javax.* dependencies. After a dependabot update for testcontainers-keycloak from 3.4.0 to 3.5.0, it fails because javax.activation:jar:1.2.0 is now a (transitive) dependency

We recently migrated our project to use jakarta.* dependencies, which worked like a charm with 3.4.0. Perhaps this is an unwanted side-effect from the shrinkwrap 1.2.6 --> 2.0.0-beta-2 update? I have fixed it for now in our codebase with using an exclusion in the pom file.

Version

3.5.0

Expected behavior

Our maven build works without excluding javax.annotation in the pom.xml

Actual behavior

The build fails due to 3.5.0 introducing javax.annotation dependency through shrinkwrap 2.0.0 beta 2.

How to Reproduce?

No response

Relevant log output

Error:  Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.5.0:enforce (enforce-lib-ban) on project frankframework-core: 
Error:  Rule 4: org.apache.maven.enforcer.rules.dependency.BannedDependencies failed with message:
Error:  Don't touch versions, we should use jakarta.activation-api:2.1.3
Error:  org.frankframework:frankframework-core:jar:8.3.0-SNAPSHOT
Error:     com.github.dasniko:testcontainers-keycloak:jar:3.5.0
Error:        org.jboss.shrinkwrap:shrinkwrap-impl-base:jar:2.0.0-beta-2
Error:           com.sun.activation:javax.activation:jar:1.2.0 <--- banned via the exclude/include list

Anything else?

No response

[dasniko]

Thx for reporting.
I'll investigate today and do a new patch release if easily possible. Hopefully just excluding the javax.activation dependency is enough.

[evandongen]

It is for now, but I just wanted to report it as well!