Skip to content

Dependency convergence detection #14256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ apply plugin: 'org.springframework.security.sagan'
apply plugin: 'org.springframework.github.milestone'
apply plugin: 'org.springframework.github.changelog'
apply plugin: 'org.springframework.github.release'
apply plugin: 'org.springframework.security.versions.verify-dependencies-versions'

group = 'org.springframework.security'
description = 'Spring Security'
Expand Down
4 changes: 0 additions & 4 deletions buildSrc/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -67,10 +67,6 @@ gradlePlugin {
id = "s101"
implementationClass = "s101.S101Plugin"
}
verifyDependenciesVersions {
id = "org.springframework.security.versions.verify-dependencies-versions"
implementationClass = "org.springframework.security.convention.versions.VerifyDependenciesVersionsPlugin"
}
}
}

Expand Down
32 changes: 32 additions & 0 deletions buildSrc/settings.gradle
Original file line number Diff line number Diff line change
@@ -1,3 +1,35 @@
buildscript {
repositories {
gradlePluginPortal()
}
dependencies {
classpath 'org.kordamp.gradle:enforcer-gradle-plugin:0.13.0'
}
}
apply plugin: 'org.kordamp.gradle.enforcer'

enforce {
rule(enforcer.rules.DependencyConvergence)
rule(enforcer.rules.ForceDependencies) { r ->
r.dependencies.add("org.eclipse.jetty:jetty-util:11.0.11")
r.dependencies.add("org.apache.commons:commons-lang3:3.12.0")
r.dependencies.add("commons-logging:commons-logging:1.2")
r.dependencies.add("commons-io:commons-io:2.11.0")
r.dependencies.add("org.slf4j:slf4j-api:2.0.9")
r.dependencies.add("com.jcraft:jsch:0.1.55")
r.dependencies.add("com.google.code.findbugs:jsr305:3.0.2")
r.dependencies.add("commons-codec:commons-codec:1.15")
r.dependencies.add("com.fasterxml.jackson.core:jackson-databind:2.13.4.2")
r.dependencies.add("com.fasterxml.jackson.core:jackson-core:2.13.4")
r.dependencies.add("com.google.guava:guava:30.0-jre")
r.dependencies.add("org.apache.httpcomponents:httpclient:4.5.14")
r.dependencies.add("com.thoughtworks.xstream:xstream:1.4.19")
r.dependencies.add("org.apache.httpcomponents:httpcore:4.4.16")
r.dependencies.add("net.bytebuddy:byte-buddy:1.14.6")
r.dependencies.add("org.junit.jupiter:junit-jupiter-api:5.10.1")
}
Comment on lines +13 to +30
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain why this is needed? I wonder if we will need to keep updating this rule often.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here I force using specific version of library.
As an example let's have first one org.eclipse.jetty:jetty-util:11.0.11 without it a compile error occur.

> Conflict found for the following module:
    - org.eclipse.jetty:jetty-util between versions 11.0.11 and 9.4.50.v20221201

Yes I agree with you about wondering but I haven`t found another solution to fix version conflicts.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello, @marcusdacoregio any news about it or something to change ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, @andreilisa. I haven't got time to go through it yet. I'm not also sure if we should force such dependencies. I'll try to review it soon to have an idea if it can cause any trouble for us in the future.

}

dependencyResolutionManagement {
versionCatalogs {
libs {
Expand Down

This file was deleted.