Could com.ruoyi:ruoyi-common-datasource:3.6.2 drop off redundant dependencies?

[slimming-fat]

Hi, I found that com.ruoyi:ruoyi-common-datasource:3.6.2’s pom file introduced 36 dependencies. However, among them, 35 libraries (97% have not been used by your project), the redundant dependencies are listed below.

More seriously, 1 redundant dependency contains security vulnerabilities (vulnerable libraries).

1 redundant library has not been maintained by developers for more than 3 years（outdated dependencies）.

Reduce these unused dependencies can help prevent introducing bugs/vulnerabilities from dependencies with security vulnerabilities and outdated. Meanwhile, it can minimize the project size. To safely remove redundant dependencies, I constructed a complete call graph (resolved most of Java reflection and dynamic binding) , and validated that they have not been used by the client code.

This PR com.ruoyi:ruoyi-common-datasource:3.6.2 for removing the redundant dependencies have passed the tests.

Best regards

Redundant dependencies

Redundant direct dependencies:

  com.alibaba:druid-spring-boot-starter:1.2.16:compile [20 KB]

Redundant indirect dependencies:

     org.aspectj:aspectjweaver:1.9.7:compile [1 MB]
     org.springframework:spring-context:5.3.24:compile [1 MB]
     org.springframework.boot:spring-boot-starter:2.7.7:compile [4 KB]
     org.slf4j:slf4j-api:1.7.36:compile [40 KB]
     jakarta.annotation:jakarta.annotation-api:1.3.5:compile [24 KB]
     org.springframework:spring-jdbc:5.3.24:compile [418 KB]
     org.springframework:spring-tx:5.3.24:compile [325 KB]
     org.springframework:spring-expression:5.3.24:compile [282 KB]
     org.yaml:snakeyaml:1.30:compile [323 KB]
     org.springframework.boot:spring-boot-starter-aop:2.7.7:compile [4 KB]
     ch.qos.logback:logback-core:1.2.11:compile [438 KB]
     org.springframework.boot:spring-boot-starter-logging:2.7.7:compile [4 KB]
     org.springframework.boot:spring-boot:2.7.7:compile [1 MB]
     org.springframework:spring-beans:5.3.24:compile [686 KB]
     org.apache.logging.log4j:log4j-api:2.17.2:compile [295 KB]
     ch.qos.logback:logback-classic:1.2.11:compile [226 KB]
     com.alibaba:druid:1.2.16:compile [3 MB]
     org.springframework:spring-aop:5.3.24:compile [373 KB]
     org.springframework.boot:spring-boot-starter-jdbc:2.7.7:compile [4 KB]
     org.apache.logging.log4j:log4j-to-slf4j:2.17.2:compile [17 KB]
     org.springframework:spring-jcl:5.3.24:compile [23 KB]
     org.springframework:spring-core:5.3.24:compile [1 MB]
     com.zaxxer:HikariCP:4.0.3:compile [155 KB]
     org.springframework.boot:spring-boot-autoconfigure:2.7.7:compile [1 MB]
     org.slf4j:jul-to-slf4j:1.7.36:compile [4 KB]  

Redundant direct dependencies inherited from parent pom:

     org.springframework.cloud:spring-cloud-starter-bootstrap:3.1.5:compile [3 KB]

Redundant indirect dependencies inherited from parent pom:

     org.springframework.cloud:spring-cloud-starter:3.1.5:compile [2 KB]
     org.bouncycastle:bcpkix-jdk15on:1.69:compile [887 KB]
     org.bouncycastle:bcprov-jdk15on:1.69:compile [5 MB]
     org.springframework.cloud:spring-cloud-context:3.1.5:compile [154 KB]
     org.springframework.security:spring-security-rsa:1.0.11.RELEASE:compile [19 KB]
     org.springframework.cloud:spring-cloud-commons:3.1.5:compile [253 KB]
     org.springframework.security:spring-security-crypto:5.7.6:compile [80 KB]
     org.bouncycastle:bcutil-jdk15on:1.69:compile [351 KB]

Vulnerable libraries

org.yaml:snakeyaml:1.30 (CVE-2022-25857)

Outdated dependencies

jakarta.annotation:jakarta.annotation-api:1.3.5 (1314 days without maintenance)