https://gradle.com/ logo
Join Slack
Powered by
This message was deleted.
# community-support
s
This message was deleted.
a
Btw I tried investigating where the dependency got transitively leaked from, but the output of 
dependencyInsight
was hard to understand, I couldn't get any actionable insights from it
v
Did you define a range for that dependency, or a fixed version? What did the 
dependencyInsight
output, or are you maybe able to share a build scan?
a
I did not define neither a range nor a fixed version for the dependency, it must have came transitively. I just tried re-running 
dependencyInsight
and am encountering a problem, I'll try to get it to work and then I'll share the output
👌 1
Copy code
16:51:06: Executing ':common:dependencyInsight --dependency com.fasterxml.jackson.core:jackson-core --configuration default -q'...

com.fasterxml.jackson.core:jackson-core:2.15.0-rc1
   variant "runtimeElements" [
      org.gradle.category            = library (not requested)
      org.gradle.dependency.bundling = external (not requested)
      org.gradle.libraryelements     = jar (not requested)
      org.gradle.usage               = java-runtime (not requested)
      org.gradle.status              = release (not requested)
   ]
   Selection reasons:
      - By constraint : dependency was locked to version '2.15.0-rc1'
      - By ancestor

com.fasterxml.jackson.core:jackson-core:{strictly 2.15.0-rc1} -> 2.15.0-rc1
\--- default

com.fasterxml.jackson.core:jackson-core:2.15.0-rc1
+--- com.fasterxml.jackson:jackson-bom:2.15.0-rc1
|    +--- default (requested com.fasterxml.jackson:jackson-bom:{strictly 2.15.0-rc1})
|    +--- com.<REDACTED>.engprod:platform:4.1.33.0 (requested com.fasterxml.jackson:jackson-bom:+)
|    |    +--- default (requested com.<REDACTED>.engprod:platform:+)
|    |    \--- com.<REDACTED>.engprod:engprod-commons:2.3.91.0 (requested com.<REDACTED>.engprod:platform:2.3.91.0)
|    |         \--- default (requested com.<REDACTED>.engprod:engprod-commons:2.+)
|    +--- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.15.0-rc1
|    |    +--- default (requested com.fasterxml.jackson.datatype:jackson-datatype-jsr310:{strictly 2.15.0-rc1})
|    |    +--- com.<REDACTED>.engprod:engprod-commons:2.3.91.0 (requested com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.14.0) (*)
|    |    \--- com.fasterxml.jackson:jackson-bom:2.15.0-rc1 (*)
|    +--- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.15.0-rc1
|    |    +--- default (requested com.fasterxml.jackson.dataformat:jackson-dataformat-xml:{strictly 2.15.0-rc1})
|    |    +--- com.<REDACTED>.engprod:engprod-commons:2.3.91.0 (requested com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.14.0) (*)
|    |    \--- com.fasterxml.jackson:jackson-bom:2.15.0-rc1 (*)
|    +--- com.fasterxml.jackson.core:jackson-databind:2.15.0-rc1
|    |    +--- default (requested com.fasterxml.jackson.core:jackson-databind:{strictly 2.15.0-rc1})
|    |    +--- com.<REDACTED>.engprod:engprod-commons:2.3.91.0 (requested com.fasterxml.jackson.core:jackson-databind:2.14.0) (*)
|    |    +--- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.15.0-rc1 (*)
|    |    +--- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.15.0-rc1 (*)
|    |    +--- com.fasterxml.jackson:jackson-bom:2.15.0-rc1 (*)
|    |    \--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.15.0-rc1
|    |         +--- default (requested com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:{strictly 2.15.0-rc1})
|    |         +--- com.<REDACTED>.engprod:engprod-commons:2.3.91.0 (requested com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.14.0) (*)
|    |         \--- com.fasterxml.jackson:jackson-bom:2.15.0-rc1 (*)
|    +--- com.fasterxml.jackson.core:jackson-core:2.15.0-rc1 (*)
|    +--- com.fasterxml.jackson.core:jackson-annotations:2.15.0-rc1
|    |    +--- default (requested com.fasterxml.jackson.core:jackson-annotations:{strictly 2.15.0-rc1})
|    |    +--- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.15.0-rc1 (*)
|    |    +--- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.15.0-rc1 (*)
|    |    +--- com.fasterxml.jackson.core:jackson-databind:2.15.0-rc1 (*)
|    |    \--- com.fasterxml.jackson:jackson-bom:2.15.0-rc1 (*)
|    \--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.15.0-rc1 (*)
+--- com.fasterxml.jackson.core:jackson-databind:2.15.0-rc1 (*)
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.15.0-rc1 (*)
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.15.0-rc1 (*)
\--- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.15.0-rc1 (*)

com.fasterxml.jackson.core:jackson-core:2.12.1 -> 2.15.0-rc1
+--- com.google.cloud:google-cloud-firestore:2.2.4
|    +--- default (requested com.google.cloud:google-cloud-firestore:{strictly 2.2.4})
|    +--- com.<REDACTED>.engprod:engprod-commons:2.3.91.0
|    |    \--- default (requested com.<REDACTED>.engprod:engprod-commons:2.+)
|    \--- com.google.cloud:libraries-bom:19.0.0
|         +--- default (requested com.google.cloud:libraries-bom:{strictly 19.0.0})
|         \--- com.<REDACTED>.engprod:platform:4.1.33.0
|              +--- default (requested com.<REDACTED>.engprod:platform:+)
|              \--- com.<REDACTED>.engprod:engprod-commons:2.3.91.0 (requested com.<REDACTED>.engprod:platform:2.3.91.0) (*)
\--- com.google.cloud:google-cloud-storage:1.113.12
     +--- default (requested com.google.cloud:google-cloud-storage:{strictly 1.113.12})
     +--- com.<REDACTED>.engprod:engprod-commons:2.3.91.0 (*)
     \--- com.google.cloud:libraries-bom:19.0.0 (*)

(*) - dependencies omitted (listed previously)

A web-based, searchable dependency report is available by adding the --scan option.
16:51:07: Execution finished ':common:dependencyInsight --dependency com.fasterxml.jackson.core:jackson-core --configuration default -q'.
trying to figure out where this coming from by looking at the 
engprod-commons
project now..
k
Personally, I find Build Scans™ much easier to read than 
dependencyInsight
. Have you tried running your build with the 
--scan
option? The searchable nature of the dependency tree is really nice in the UI.
v
com.<REDACTED>.engprod:platform:4.1.33.0
has 
com.fasterxml.jackson:jackson-bom:+
which means latest version available
a
I wish I could @kyle but my company's policy prohibits using 
--scan
because it sends sensitive build info to Gradle's Server which is against our security policy
k
I understand.
a
@Vampire is there a way to specify a dynamic dependency (e.g. 
2.+
while also preventing unstable versions?
k
Björn is right - you never, ever want to publish a library that exposes a dynamic dependency like 
com.fasterxml.jackson:jackson-bom:+
Yes Gradle has an API to publish the resolved version of the dependency in the metadata.
a
Looking
Oh, I didn't even realize the default behavior was to use dynamic dependencies in the published artifact! That seems like odd behavior, I would have expected that resolved dependencies would be the default behavior If I understand correctly, this means that if I publish my Gradle plugin 
foo
version 
1.0
that has a dynamic dependency 
bar:+
, and at the time of publishing, the latest version of 
bar
was 
1.0
, but a month later 
bar
releases version 
2.0
, then someone using 
foo:1.0
will transitively get the dependency 
bar:2.0
instead of 
bar:1.0
?
k
Precisely. Very bad!
It’s basically building a time-bomb into your library. As the docs state, this is exactly your use-case:
Example use cases for resolved versions:
• A project uses dynamic versions for dependencies but prefers exposing the resolved version for a given release to its consumers.
I’m sure the feature has good intentions; for example it’s not unreasonable to use a dynamic dependency like 
foo:1.0.+
… this ensures that the latest patch release is always consumed. But you also take a risk that the owner of 
foo
understands semver and never makes any breaking changes in a patch release.
a
I notice now that our plugin actually already uses 
fromResolutionResult
k
That’s good - then maybe you want to scope 
bar:+
to a major version, like 
bar:2.+
. This might help.
v
Maybe the plugin does, but 
com.<REDACTED>.engprod:platform
does not? Because that is the one with the dynamic version dependency.
And even worse it probably uses 
enforcedPlatform
, as the constraint comes out with strict versions. 
enforcedPlatform
should almost never be used in an end-product except in rare edge cases, and practically never in a library project. Gradle should even prominently warn you if you publish something with an enforced platform.
a
@Vampire is there an article/blog post or something that explains why 
enforcedPlatform
should not be used?
v
I learned it from @melix, not sure whether he blogged about it
All the docs say is
Using 
enforcedPlatform
needs to be considered with care if your software component can be consumed by others. This declaration is effectively transitive and so will apply to the dependency graph of your consumers. Unfortunately they will have to use 
exclude
if they happen to disagree with one of the forced versions.
Instead, if your reusable software component has a strong opinion on some third party dependency versions, consider using a rich version declaration with a 
strictly
.
👍 1
5 Views
Open in Slack
PreviousNext
Powered by