-
Notifications
You must be signed in to change notification settings - Fork 6.1k
Consider adding dependency convergence detection #13990
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
@marcusdacoregio based on this comment, I think the idea was to add general purpose detection when convergence issues arise. But I don't have too much experience with that. gh-14047 definitely solves the most immediate problem, so I'll let others weigh in on whether more general detection is still needed. @ThomasKasene |
I'll weigh in my own experience - make of it what you will 😄 My team maintains a large number of Spring Boot applications which all use Spring Security for OAuth 2.0 stuff. When Boot 3.1.1 (I think) was released, Dependabot gave us a bunch of PRs to upgrade, but all the builds broke because we use the We could have overridden the versions of the offending dependency in all the apps, and that would've been the "correct" thing to do. Doing so would've meant having to look out for changes/fixes in Spring Security to this issue (like the one provided through #13843). In the meantime, we'd have to manage any Dependabot PRs about In the end, a general lack of bandwidth forced us to jump to plan B, which was simply to not upgrade to Spring Boot 3.1.1 at all. The fix didn't arrive until 3.1.5, so our adoption rate crashed down to zero in the meantime. So yeah, a dependency convergence error on this exact artifact has happened before, and perhaps the Nimbus stuff is particularly prone to it because their release cycles are so out of sync. But the idea was to get something in place to prevent these kinds of issues from happening at all in the future. 😃 |
Thanks, @ThomasKasene. I'll keep this open and label it as ideal for contribution because I think it can be worth adding that to prevent such problems. It would be great if someone could investigate what would be needed to apply the plugin that you mentioned. |
Hello @marcusdacoregio, can I take this one ? |
Hello, @andreilisa. Yes, the issue is yours. I'd start by adding the plugin to the build and check what dependencies should be aligned to have a successful compilation. |
Yes got it, I will ask here if I have additional questions. |
Hey @marcusdacoregio, after stating to ExcludeDependencies.
I get next one error message and I can`t understand where is the problem:
But if I comment
Can you have a look at dependency_convergence_detection ? |
Hi, @andreilisa. It seems that the plugin performs the check in every configuration available, where, ideally, I think it should only check the |
@marcusdacoregio, Related PR 14256 ? |
We should consider adding dependency convergence detection to our build to prevent issues like gh-13843. For example, the following dependencies must agree on the version of
com.nimbusds:nimbus-jose-jwt
.spring-security-oauth2-client
->com.nimbusds:oauth2-oidc-sdk
->com.nimbusds:nimbus-jose-jwt
spring-security-oauth2-jose
->com.nimbusds:nimbus-jose-jwt
See comment and related issue for more information.
The text was updated successfully, but these errors were encountered: