-
Notifications
You must be signed in to change notification settings - Fork 6.1k
Dependency convergence detection #14256
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency convergence detection #14256
Conversation
rule(enforcer.rules.ForceDependencies) { r -> | ||
r.dependencies.add("org.eclipse.jetty:jetty-util:11.0.11") | ||
r.dependencies.add("org.apache.commons:commons-lang3:3.12.0") | ||
r.dependencies.add("commons-logging:commons-logging:1.2") | ||
r.dependencies.add("commons-io:commons-io:2.11.0") | ||
r.dependencies.add("org.slf4j:slf4j-api:2.0.9") | ||
r.dependencies.add("com.jcraft:jsch:0.1.55") | ||
r.dependencies.add("com.google.code.findbugs:jsr305:3.0.2") | ||
r.dependencies.add("commons-codec:commons-codec:1.15") | ||
r.dependencies.add("com.fasterxml.jackson.core:jackson-databind:2.13.4.2") | ||
r.dependencies.add("com.fasterxml.jackson.core:jackson-core:2.13.4") | ||
r.dependencies.add("com.google.guava:guava:30.0-jre") | ||
r.dependencies.add("org.apache.httpcomponents:httpclient:4.5.14") | ||
r.dependencies.add("com.thoughtworks.xstream:xstream:1.4.19") | ||
r.dependencies.add("org.apache.httpcomponents:httpcore:4.4.16") | ||
r.dependencies.add("net.bytebuddy:byte-buddy:1.14.6") | ||
r.dependencies.add("org.junit.jupiter:junit-jupiter-api:5.10.1") | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you explain why this is needed? I wonder if we will need to keep updating this rule often.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here I force using specific version of library.
As an example let's have first one org.eclipse.jetty:jetty-util:11.0.11
without it a compile error occur.
> Conflict found for the following module:
- org.eclipse.jetty:jetty-util between versions 11.0.11 and 9.4.50.v20221201
Yes I agree with you about wondering but I haven`t found another solution to fix version conflicts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello, @marcusdacoregio any news about it or something to change ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, @andreilisa. I haven't got time to go through it yet. I'm not also sure if we should force such dependencies. I'll try to review it soon to have an idea if it can cause any trouble for us in the future.
Hi, @andreilisa. Thank you so much for your time in investigating how to integrate the dependency convergence detection into the build. However, I feel that even if applying this change, we are not going to fix the problem (which doesn't exist anymore, this is just a safety mechanism to prevent that for happening again) and it may cause more trouble resolving our dependencies. There is also some thoughts being given to get rid of the dependency that causes trouble #14245, allowing us to get rid of https://github.com/spring-projects/spring-security/blob/main/buildSrc/src/main/java/org/springframework/security/convention/versions/VerifyDependenciesVersionsPlugin.java. With that said, I'll close this as not planned for now and as we mature the idea, we might reopen it in the future. |
Adding dependency convergence detection
Related to 13990