Transitive dependencies creating version conflicts & missing jar verification #4086
Labels
Comments
ghubstan
added a commit
to ghubstan/bisq
that referenced
this issue
Mar 21, 2020
Aligns Bisq's slf4j version requirement with that of other dependencies. This removes a duplicated dependency, and corrects the gradle-witness.gradle slf4-api entry, which verified slf4-api v1.7.22, not the transitive dependency loaded at runtime. Partial fix for bisq-network#4086
ghubstan
added a commit
to ghubstan/bisq
that referenced
this issue
Mar 21, 2020
The latest firebase-admin depends on grpc-api v1.24.1, which is as close as we can get to the grpc v1.25.0 specified in build.gradle. Currently, the firebase-admin version requirement is causing the build to download grpc v1.10.1 jars, but at runtime, grpc 1.25.0 jars are loaded. Partial fix for bisq-network#4086
ghubstan
added a commit
to ghubstan/bisq
that referenced
this issue
Mar 21, 2020
The latest firebase-admin (v6.12.2) depends on grpc-api v1.24.1, which is as close as we can get to the grpc v1.25.0 specified in build.gradle. Currently, the firebase-admin version requirement is causing the build to download grpc v1.10.1 jars, but at runtime, grpc 1.25.0 jars are loaded. Eliminating the version conflict saves a dev time thinking about which source jar to choose from while examining exception stack traces. Partial fix for bisq-network#4086
ghubstan
added a commit
to ghubstan/bisq
that referenced
this issue
Mar 21, 2020
The latest firebase-admin (v6.12.2) depends on grpc-api v1.24.1, which is as close as we can get to the grpc v1.25.0 specified in build.gradle. Currently, the firebase-admin version requirement is causing the build to download grpc v1.10.1 jars, but at runtime, grpc 1.25.0 jars are loaded. Transitive dependency grpc-netty-shaded-1.23.0 is also excluded. Eliminating version conflicts saves a dev time thinking about which source jar to choose from while examining exception stack traces. Partial fix for bisq-network#4086
ghubstan
added a commit
to ghubstan/bisq
that referenced
this issue
Mar 22, 2020
The latest firebase-admin (v6.12.2) depends on grpc-api v1.24.1, which is as close as we can get to the grpc v1.25.0 specified in build.gradle. Currently, the firebase-admin version requirement is causing the build to download grpc v1.10.1 jars, but at runtime, grpc 1.25.0 jars are loaded. Transitive dependencies grpc-netty-shaded, grpc-protobuf, grpc-protobuf-lite, grpc-protobuf-stub, grpc-protobuf-grpclb (v1.23.0) are also excluded. Eliminating version conflicts saves a dev time thinking about which source jar to choose from while examining exception stack traces. Partial fix for bisq-network#4086
ghubstan
added a commit
to ghubstan/bisq
that referenced
this issue
Mar 22, 2020
The latest firebase-admin (v6.12.2) depends on grpc-api v1.24.1, which is as close as we can get to the grpc v1.25.0 specified in build.gradle. Currently, the firebase-admin version requirement is causing the build to download grpc v1.10.1 jars, but at runtime, grpc 1.25.0 jars are loaded. Transitive dependencies grpc-netty-shaded, grpc-protobuf, grpc-protobuf-lite, grpc-protobuf-stub, grpc-protobuf-grpclb (v1.23.0) are also excluded. Upgraded slf4j version requirement to match that of other dependencies. This removes a duplicated dependency, and corrects the gradle-witness.gradle slf4-api entry, which verified slf4-api v1.7.22, not the transitive dependency loaded at runtime. Beyond avoiding general version hell issues, eliminating version conflicts saves a dev time thinking about which source jar to choose from while examining exception stack traces. Partial fix for bisq-network#4086
|
I don't think it will be possible to resolve all version conflicts because too many transitive dependencies have too many of their own version conflict problems in their own dependency graphs. But it would be good to minimize them in Bisq as much as practicable. |
ghubstan
added a commit
to ghubstan/bisq
that referenced
this issue
Mar 22, 2020
Some apache & logback dependency versions were bumped up, some transitive dependencies declared as direct dependencies, and some new exclusions were added to reduced the number of duplicated dependencies in the build. Also updated gradle-witness.gradle. Here are some of the duplicated apache dependencies in the current build: commons-codec-1.10.jar commons-codec-1.9.jar commons-io-2.4.jar commons-io-2.6.jar commons-logging-1.1.1.jar commons-logging-1.2.jar httpclient-4.0.1.jar httpclient-4.5.3.jar httpclient-4.5.5.jar httpcore-4.0.1.jar httpcore-4.4.6.jar httpcore-4.4.9.jar logback-classic-1.1.10.jar logback-classic-1.1.11.jar logback-core-1.1.10.jar logback-core-1.1.11.jar Upgraded: codecVersion '1.9 -> 1.13 ioVersion 2.4 -> 2.6 langVersion 3.4 -> 3.8 httpclientVersion 4.5.3 -> 4.5.12 slf4jVersion 1.7.22 -> 1.7.25 New dependency declarations: loggingVersion 1.2 httpcoreVersion 4.4.13 This commit reduces the number of build dependencies by 10. Partial fix for bisq-network#4086
ghubstan
added a commit
to ghubstan/bisq
that referenced
this issue
Mar 22, 2020
Some apache & logback dependency versions were bumped up, some transitive dependencies declared as direct dependencies, and some new exclusions were added to reduce the number of duplicated dependencies in the build. Also updated gradle-witness.gradle. Here are some of the duplicated apache dependencies in the current build: commons-codec-1.10.jar commons-codec-1.9.jar commons-io-2.4.jar commons-io-2.6.jar commons-logging-1.1.1.jar commons-logging-1.2.jar httpclient-4.0.1.jar httpclient-4.5.3.jar httpclient-4.5.5.jar httpcore-4.0.1.jar httpcore-4.4.6.jar httpcore-4.4.9.jar logback-classic-1.1.10.jar logback-classic-1.1.11.jar logback-core-1.1.10.jar logback-core-1.1.11.jar Upgraded: codecVersion 1.9 -> 1.13 ioVersion 2.4 -> 2.6 langVersion 3.4 -> 3.8 httpclientVersion 4.5.3 -> 4.5.12 slf4jVersion 1.7.22 -> 1.7.25 New dependency declarations: loggingVersion 1.2 httpcoreVersion 4.4.13 This commit reduces the number of build dependencies by 10. Partial fix for bisq-network#4086
ghubstan
added a commit
to ghubstan/bisq
that referenced
this issue
Mar 22, 2020
Some apache & logback dependency versions were bumped up, some transitive dependencies declared as direct dependencies, and some new exclusions were added to reduce the number of duplicated dependencies in the build. Also updated gradle-witness.gradle. Here are some of the duplicated apache and logback dependencies in the current build: commons-codec-1.10.jar commons-codec-1.9.jar commons-io-2.4.jar commons-io-2.6.jar commons-logging-1.1.1.jar commons-logging-1.2.jar httpclient-4.0.1.jar httpclient-4.5.3.jar httpclient-4.5.5.jar httpcore-4.0.1.jar httpcore-4.4.6.jar httpcore-4.4.9.jar logback-classic-1.1.10.jar logback-classic-1.1.11.jar logback-core-1.1.10.jar logback-core-1.1.11.jar Upgraded: codecVersion 1.9 -> 1.13 ioVersion 2.4 -> 2.6 langVersion 3.4 -> 3.8 httpclientVersion 4.5.3 -> 4.5.12 slf4jVersion 1.7.22 -> 1.7.25 New dependency declarations: loggingVersion 1.2 httpcoreVersion 4.4.13 This commit reduces the number of build dependencies by 10. Partial fix for bisq-network#4086
This was referenced Apr 1, 2020
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
@ghubstan is this still an issue? |
|
Yes, it is. I'm working on an idea to improve this situation in a misq poc. |
|
Same here, was also looking for alternatives. Some of the issues with
Seems to give a false sense of security Related older thread: #1897 (comment) Main solutions I came across so far:
cc @bisq-network/bisq-devs : If you have other ideas, add as comments below. |
|
The gradle-witness plugin is becoming obsolete (and possibly) incompatible with newer versions of gradle. There is a built in verification task in newer gradle versions: https://docs.gradle.org/6.6.1/userguide/dependency_verification.html I don't know if it can verify plugin jars. |
|
@ghubstan that's probably the best way forward. Looks like it can even do plugins:
Let me know if I can help. |
I think it just works if you add |
|
Thanks, I added a PR for the only Misq repo I am aware of: https://github.com/chimp1984/misq/pull/8 |
|
We will always be dealing with the version conflicts, but I appreciate the issue house cleaning you're doing. |
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
The gradle build needs to be more strict about excluding transitive dependencies that create version conflicts. (This implies some dependencies might need to be upgraded, and some even downgraded, to align versions of direct and transitive dependencies.)
Version
Commit 17bb7b4
Steps to reproduce
Build Bisq and see multiple versions of some jars in the lib dir.
Expected behaviour
There should not be any version conflicts, and every jar needs to be verified by the gradle-witness.gradle file.
Actual behaviour
There are several transitive dependencies downloaded during the build that conflict with direct dependencies specified in gradle.build, and in the case of the desktop build, they are not being verified by gradle-witness.
Here are duplicate jars with the letters 'grpc' in their name:
This may not be an urgent problem because the latest jar is loaded at run time. However, that also means that a transitive dependency with a larger version than is specified in the build file is loaded, not the jar which has passed gradle witness verification. For example: the build file specifies
but
shows me that the transitive dependency slf4j-api-1.7.25.jar is being loaded instead.
Maybe building the shipped, shaded jar eliminates most of this problem, but I new devs like me may spend a lot of time trying to figure out why jar version conflicts like the grpc example I described above exist.
The text was updated successfully, but these errors were encountered: