Skip to content

Dependency convergence detection #14256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation

andreilisa
Copy link

Adding dependency convergence detection

Related to 13990

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 7, 2023
@marcusdacoregio marcusdacoregio self-assigned this Dec 7, 2023
@marcusdacoregio marcusdacoregio added in: build An issue in the build type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 7, 2023
Comment on lines +13 to +30
rule(enforcer.rules.ForceDependencies) { r ->
r.dependencies.add("org.eclipse.jetty:jetty-util:11.0.11")
r.dependencies.add("org.apache.commons:commons-lang3:3.12.0")
r.dependencies.add("commons-logging:commons-logging:1.2")
r.dependencies.add("commons-io:commons-io:2.11.0")
r.dependencies.add("org.slf4j:slf4j-api:2.0.9")
r.dependencies.add("com.jcraft:jsch:0.1.55")
r.dependencies.add("com.google.code.findbugs:jsr305:3.0.2")
r.dependencies.add("commons-codec:commons-codec:1.15")
r.dependencies.add("com.fasterxml.jackson.core:jackson-databind:2.13.4.2")
r.dependencies.add("com.fasterxml.jackson.core:jackson-core:2.13.4")
r.dependencies.add("com.google.guava:guava:30.0-jre")
r.dependencies.add("org.apache.httpcomponents:httpclient:4.5.14")
r.dependencies.add("com.thoughtworks.xstream:xstream:1.4.19")
r.dependencies.add("org.apache.httpcomponents:httpcore:4.4.16")
r.dependencies.add("net.bytebuddy:byte-buddy:1.14.6")
r.dependencies.add("org.junit.jupiter:junit-jupiter-api:5.10.1")
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain why this is needed? I wonder if we will need to keep updating this rule often.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here I force using specific version of library.
As an example let's have first one org.eclipse.jetty:jetty-util:11.0.11 without it a compile error occur.

> Conflict found for the following module:
    - org.eclipse.jetty:jetty-util between versions 11.0.11 and 9.4.50.v20221201

Yes I agree with you about wondering but I haven`t found another solution to fix version conflicts.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello, @marcusdacoregio any news about it or something to change ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, @andreilisa. I haven't got time to go through it yet. I'm not also sure if we should force such dependencies. I'll try to review it soon to have an idea if it can cause any trouble for us in the future.

@marcusdacoregio
Copy link
Contributor

Hi, @andreilisa. Thank you so much for your time in investigating how to integrate the dependency convergence detection into the build. However, I feel that even if applying this change, we are not going to fix the problem (which doesn't exist anymore, this is just a safety mechanism to prevent that for happening again) and it may cause more trouble resolving our dependencies. There is also some thoughts being given to get rid of the dependency that causes trouble #14245, allowing us to get rid of https://github.com/spring-projects/spring-security/blob/main/buildSrc/src/main/java/org/springframework/security/convention/versions/VerifyDependenciesVersionsPlugin.java.

With that said, I'll close this as not planned for now and as we mature the idea, we might reopen it in the future.

@marcusdacoregio marcusdacoregio added the status: declined A suggestion or change that we don't feel we should currently apply label Jan 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: build An issue in the build status: declined A suggestion or change that we don't feel we should currently apply type: enhancement A general enhancement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants