Dependency convergence detection #14256
Conversation
spring-projects-issues
added
the
status: waiting-for-triage
marcusdacoregio
added
in: build
| rule(enforcer.rules.ForceDependencies) { r -> | ||
| r.dependencies.add("org.eclipse.jetty:jetty-util:11.0.11") | ||
| r.dependencies.add("org.apache.commons:commons-lang3:3.12.0") | ||
| r.dependencies.add("commons-logging:commons-logging:1.2") | ||
| r.dependencies.add("commons-io:commons-io:2.11.0") | ||
| r.dependencies.add("org.slf4j:slf4j-api:2.0.9") | ||
| r.dependencies.add("com.jcraft:jsch:0.1.55") | ||
| r.dependencies.add("com.google.code.findbugs:jsr305:3.0.2") | ||
| r.dependencies.add("commons-codec:commons-codec:1.15") | ||
| r.dependencies.add("com.fasterxml.jackson.core:jackson-databind:2.13.4.2") | ||
| r.dependencies.add("com.fasterxml.jackson.core:jackson-core:2.13.4") | ||
| r.dependencies.add("com.google.guava:guava:30.0-jre") | ||
| r.dependencies.add("org.apache.httpcomponents:httpclient:4.5.14") | ||
| r.dependencies.add("com.thoughtworks.xstream:xstream:1.4.19") | ||
| r.dependencies.add("org.apache.httpcomponents:httpcore:4.4.16") | ||
| r.dependencies.add("net.bytebuddy:byte-buddy:1.14.6") | ||
| r.dependencies.add("org.junit.jupiter:junit-jupiter-api:5.10.1") | ||
| } |
There was a problem hiding this comment.
Can you explain why this is needed? I wonder if we will need to keep updating this rule often.
There was a problem hiding this comment.
Here I force using specific version of library.
As an example let's have first one org.eclipse.jetty:jetty-util:11.0.11 without it a compile error occur.
> Conflict found for the following module:
- org.eclipse.jetty:jetty-util between versions 11.0.11 and 9.4.50.v20221201
Yes I agree with you about wondering but I haven`t found another solution to fix version conflicts.
There was a problem hiding this comment.
Hello, @marcusdacoregio any news about it or something to change ?
There was a problem hiding this comment.
Hi, @andreilisa. I haven't got time to go through it yet. I'm not also sure if we should force such dependencies. I'll try to review it soon to have an idea if it can cause any trouble for us in the future.
|
Hi, @andreilisa. Thank you so much for your time in investigating how to integrate the dependency convergence detection into the build. However, I feel that even if applying this change, we are not going to fix the problem (which doesn't exist anymore, this is just a safety mechanism to prevent that for happening again) and it may cause more trouble resolving our dependencies. There is also some thoughts being given to get rid of the dependency that causes trouble #14245, allowing us to get rid of https://github.com/spring-projects/spring-security/blob/main/buildSrc/src/main/java/org/springframework/security/convention/versions/VerifyDependenciesVersionsPlugin.java. With that said, I'll close this as not planned for now and as we mature the idea, we might reopen it in the future. |
marcusdacoregio
added
the
status: declined
Adding dependency convergence detection
Related to 13990