Modernize dependencies, upgrade Java target to 25, and fix deprecated API usage

[mbjones]

Summary

This PR modernizes the build configuration, upgrades key dependencies to address security vulnerabilities, and eliminates a set of deprecated API usages across production and test code.

---

Changes

Build / Dependency cleanup (pom.xml)

• Java 25: Set maven.compiler.release=25 as the compile target (tested with Java 17, 21, and 25).
• Dependency pruning: Removed unused dependencies and consolidated transitive duplicates, reducing pom.xml by ~160 lines.
• Apache HttpComponents: Aligned httpclient and httpclient-cache to 4.5.14 across all transitive paths.
• JAXB: Added jakarta.xml.bind-api and jaxb-runtime 2.3.2 to support the module system on Java 17+.
• Deployment: Switched from Sonatype deployment to wagon-ssh-external 3.5.3 deploying to scpexe://maven.dataone.org/var/www/maven, matching the configuration used in d1_common_java. Removed the Sonatype repository entry.
• d1_common_java: Updated dependency to 2.4.3-SNAPSHOT; added test-jar classifier dependency to restore test infrastructure.
• hazelcast: completely removed all references to hazelcast, including Hazelcast properties file.
• Removed extraneous buildInfo.properties resource, and unused Maven plugin declarations. Updated SCM URLs to current GitHub addresses.

Security fix: BouncyCastle upgrade (CertificateManager.java, pom.xml)

• Replaced vulnerable bcprov-jdk15on/bcpkix-jdk15on 1.52 with bcprov-jdk18on/bcpkix-jdk18on 1.84 (the current jdk18on line).
• In CertificateManager: replaced removed X509CertificateObject constructor with JcaX509CertificateConverter; replaced removed DERUTF8String with ASN1UTF8String; guarded Security.addProvider() to avoid duplicate registration; updated catch clause from CertificateParsingException to CertificateException.
• Excluded the transitive bcprov-jdk15on pulled in by d1_test_resources to avoid classpath conflicts.

Deprecated API cleanup (production code)

• ProvResourceMapBuilder.java, DataPackage v1/v2: replaced IOUtils.toInputStream(String) and IOUtils.toString(InputStream) with explicit StandardCharsets.UTF_8 overloads.
• HttpConnectionMonitorService.java: minor cleanup of deprecated usage.

Deprecated API cleanup (test code)

• DataPackageTest v1/v2, D1ObjectTest v1/v2, ProvResourceMapBuilderTest: replaced all IOUtils charset-implicit overloads with StandardCharsets.UTF_8.
• EchoTestRestClientIT: replaced new DefaultHttpClient() with HttpClients.createDefault(); introduced a newRestClient() helper to centralize construction; updated all IOUtils calls with explicit charset.
• EchoTestMultipartRestClientIT: updated 8 IOUtils.toString(InputStream) calls with explicit StandardCharsets.UTF_8.

---

Testing

• Build compiles cleanly against Java 25 (mvn clean test).
• Targeted unit tests pass under the upgraded BouncyCastle 1.84 provider.

---

Not included (deferred)

• AutoCloseInputStream deprecations in MultipartD1Node (6 sites) — requires architectural decision on the local wrapper class.
• BaseException.getPid() deprecations in in-memory test nodes (2 sites).
• CertificateManager broader deprecation cluster: Observable, legacy SSLSocketFactory/ALLOW_ALL_HOSTNAME_VERIFIER, getSubjectDN(), Runtime.exec() — deferred for a focused TLS/auth modernization pass.

[Copilot]

Pull request overview

This PR updates the project’s build/dependency configuration (including a Java target bump) and modernizes several production/test code paths to remove deprecated API usages (notably Commons IO charset-implicit overloads and older HttpClient/BouncyCastle APIs).

Changes:

• Modernize pom.xml (dependency upgrades/pruning, repository/SCM/deployment updates, Java release target change).
• Update production code to use explicit UTF-8 overloads and newer BouncyCastle APIs.
• Update test code to use explicit UTF-8 overloads and newer HttpClient construction patterns.

Reviewed changes

Copilot reviewed 16 out of 17 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
pom.xml	Updates versions/deps/build config, sets Java release target, and changes distribution/scm/repo configuration.
src/main/java/org/dataone/client/auth/CertificateManager.java	Updates BouncyCastle usage to work with newer jdk18on artifacts and adjusts certificate parsing/conversion.
src/main/java/org/dataone/client/utils/HttpConnectionMonitorService.java	Minor cleanup (explicit init; logger constant).
src/main/java/org/dataone/client/v1/itk/DataPackage.java	Uses explicit UTF-8 when reading the resource map content.
src/main/java/org/dataone/client/v2/itk/DataPackage.java	Uses explicit UTF-8 when reading the resource map content.
src/main/java/org/dataone/ore/ProvResourceMapBuilder.java	Uses explicit UTF-8 when converting serialized ResourceMap content to an InputStream.
src/main/resources/buildInfo/buildInfo.properties	Removes a build info resource file.
src/main/resources/org/dataone/configuration/config.xml	Removes reference to Hazelcast properties.
src/main/resources/org/dataone/configuration/d1hazelcast.properties	Removes Hazelcast properties file.
src/test/java/org/dataone/client/impl/rest/EchoTestMultipartRestClientIT.java	Uses explicit UTF-8 when reading response bodies in integration tests.
src/test/java/org/dataone/client/impl/rest/EchoTestRestClientIT.java	Replaces deprecated HttpClient instantiation and uses explicit UTF-8.
src/test/java/org/dataone/client/v1/itk/D1ObjectTest.java	Uses explicit UTF-8 when reading DataSource streams in tests.
src/test/java/org/dataone/client/v1/itk/DataPackageTest.java	Uses explicit UTF-8; adjusts exception handling around IOUtils changes.
src/test/java/org/dataone/client/v2/itk/D1ObjectTest.java	Uses explicit UTF-8 when reading DataSource streams in tests.
src/test/java/org/dataone/client/v2/itk/DataPackageTest.java	Uses explicit UTF-8; adjusts exception handling around IOUtils changes.
src/test/java/org/dataone/ore/ProvResourceMapBuilderTest.java	Uses explicit UTF-8 when converting RDF/XML strings to InputStreams.
.gitignore	Adds .vscode/ to ignored files.

Comments suppressed due to low confidence (3)

pom.xml:174

• buildInfo/buildInfo.properties is still listed as a filtered resource include, but the file was removed in this PR. Keeping this resource block is misleading and duplicates resource handling; it should be removed (or the file restored).

    <resources>
      <resource>
        <directory>src/main/resources</directory>
        <filtering>true</filtering>
        <includes>
          <include>buildInfo/buildInfo.properties</include>
        </includes>
      </resource>

src/test/java/org/dataone/client/v2/itk/DataPackageTest.java:174

• Catching RuntimeException here and converting it to fail(e.getMessage()) loses the original exception as the test failure cause (and can make debugging harder). Let the RuntimeException propagate so the test fails with the original stack trace.

            } catch (RuntimeException e) {
                e.printStackTrace();
                fail(e.getMessage());

            }

src/test/java/org/dataone/client/v1/itk/DataPackageTest.java:174

• Catching RuntimeException here and converting it to fail(e.getMessage()) loses the original exception as the test failure cause (and can make debugging harder). Let the RuntimeException propagate so the test fails with the original stack trace.

            } catch (RuntimeException e) {
                e.printStackTrace();
                fail(e.getMessage());

            }

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.