Remove react-native package from maven central and jcenter

[carlospaulino]

Description

A really old version of react-native is being hosted on maven central and jcenter.

Please remove it to avoid confusions.

http://search.maven.org/#artifactdetails%7Ccom.facebook.react%7Creact-native%7C0.20.1%7Caar
https://bintray.com/bintray/jcenter/com.facebook.react%3Areact-native

Additional Information

• React Native version: 0.20.1
• Platform: Android

[ide]

@mkonicek What do you think about removing this? I believe it's been over a year since the last publish.

[clarle]

Just curious, what's the reasoning behind not publishing it to Maven Central / JCenter regularly?

[ide]

Unlike most other libraries, RN has inherently coupled JS+Java and JS+Obj-C so we want to distribute related code together in the interest of high cohesion. Additionally the build system is JS-centric and works out of node_modules, so we want to distribute the JS using npm more than we want to distribute the Java using Maven or ObjC using CocoaPods.

We also want to keep the deployment process simple hence publishing to just one package repository, so the pragmatic place we've landed is to distribute all the code through npm and let people use Gradle or CocoaPods locally for linking, just not distribution. There are some downsides to this but it's the tradeoff we've made and are willing to commit to.

[pyankoff]

I strongly support the idea of removing [email protected] from maven. It masks gradle linking problems and creates errors like these which are harder to debug:

https://github.com/idehub/react-native-billing/issues/42
evollu/react-native-fcm#235

[petterh]

An argument for publishing versions of React Native through Maven

We have a scenario where several existing Android app will consume a reusable React Native component. However, none of owners of the existing apps want to add yet another tech (npm) to their build system, yet they have a dependency on the React Native native components (basically what's in node_modules/react-native/android).

If React Native is not publicly available through Maven, we need to distribute this ourselves. Which isn't too hard, but getting it through Maven would be nicer, IMO.

Though obviously it needs to be up-to-date. Having ancient versions hanging about is, as @pyankoff mentioned above, troublesome.

[urjitbhatia]

We have a similar setup as @petterh - a common RN component library that we want to reuse without having to install node_modules and the rest of the react setup in all the apps. We are generating an aar artifact but there are still some places in the main app we need to refer to com.facebook.react stuff.
Not sure what a good way out of that is right now.

[hramos]

Hi there! This issue is being closed because it has been inactive for a while. Maybe the issue has been fixed in a recent release, or perhaps it is not affecting a lot of people. Either way, we're automatically closing issues after a period of inactivity. Please do not take it personally!

If you think this issue should definitely remain open, please let us know. The following information is helpful when it comes to determining if the issue should be re-opened:

• Does the issue still reproduce on the latest release candidate? Post a comment with the version you tested.
• If so, is there any information missing from the bug report? Post a comment with all the information required by the issue template.
• Is there a pull request that addresses this issue? Post a comment with the PR number so we can follow up.

If you would like to work on a patch to fix the issue, contributions are very welcome! Read through the contribution guide, and feel free to hop into #react-native if you need help planning your contribution.

[gengjiawen]

This is need to be done, because it bring to much surprise, even for android developer.

[gengjiawen]

You doesn't update your dependency, but for one day, you code won't build simply because react native push one version to jcenter.

@grabbou @hramos Can you do something about this ?

[gengjiawen]

For anyone want to hack this, you need to config your root build.gradle like this. 0.51.1 is the version you want (the one you use in package.json).

configurations.all {
        resolutionStrategy.eachDependency { details ->
            if (details.requested.group == 'com.facebook.react') {
                details.useVersion "0.51.0"
            }
        }
 }

[gengjiawen]

And for the argument bringed by @petterh , you need not distribute. Just use npm, it's quite easy (a few lines of gradle config) , just as the react native template show.

[hramos]

Related to #19259.

[gengjiawen]

@hramos They are same issue, I think you close the other. And I notice this because react native pushed a new version to bintray. And my co-workers spend 3 hour to fix this before ask for my help. Please fix this issue. And I think it's hard to fix even for most android developers.

[hramos]

It's the same issue. I am reopening this issue as it seems like a good place to discuss a solution, as opposed to #19259 which is all about the side effects the issue has introduced.

[hramos]

Question: do we know who has access to upload these releases to Maven?

[gengjiawen]

@grabbou Do you know ? I am thinking create a pr to remove upload script.

[grabbou]

To be honest, I don't really know. Never uploaded anything there.

…

On Tue, 15 May 2018 at 18:18 Jiawen Geng ***@***.***> wrote: @grabbou <https://github.com/grabbou> Do you know ? I am thinking create a pr to remove upload script. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#13094 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACWcxlGBbry3DgaY3E_kLcePB1u_T4zJks5tyv-9gaJpZM4Mlzhb> .

[gengjiawen]

I am not a facebook employee, I have no clue either.

[hramos]

@gengjiawen where's this upload script? I don't recall dealing with Maven when we migrated CI to Circle last year.

How are people getting into this situation? I've only found instructions for configuring Maven in existing apps here but it seems like that's just using the local React Native npm package.

[kelset]

It seems that "anyone" could upload to issue and trigger cascading issues for everyone without fixed dep. @ide seemed to know more about it, but tbh I think we could just remove it in favor of a 'local dep' like

        maven {
            // All of React Native (JS, Obj-C sources, Android binaries) is installed from yarn
            url "$rootDir/../node_modules/react-native/android"
        }

[hramos]

Where do we need to remove this? Given we can't prevent random people from creating a react-native package, where in the repo do we configure people's projects to use Maven in this manner? Is this something that people have configured themselves in their own projects?

[gengjiawen]

I think the upload script is

react-native/ReactAndroid/release.gradle

Lines 106 to 122 in 6c58035

	uploadArchives {
	configuration = configurations.archives
	repositories.mavenDeployer {
	beforeDeployment {
	MavenDeployment deployment -> signing.signPom(deployment)
	}
	repository(url: getRepositoryUrl()) {
	authentication(
	userName: getRepositoryUsername(),
	password: getRepositoryPassword())
	}
	configureReactNativePom pom
	}
	}

You need to have the username and password to upload the archive.

[hramos]

Gotcha. It does not look like we actually run that anywhere. So far, I don't think these uploads to Maven are coming from our side.

[gengjiawen]

Weired, the repo is owned by official https://bintray.com/bintray/jcenter/com.facebook.react:react-native/view#, not Facebook. From the meta we can see the version info. It not publish all the versions.

      <version>0.20.1</version>
      <version>0.49.5</version>
      <version>0.55.3</version>
    </versions>
    <lastUpdated>20180515084147</lastUpdated>

Maybe bintray has some robot do the thing. @hramos @ide @grabbou Maybe email them officially to tell them stop this thing.

[gengjiawen]

The version cause the problem is in jcenter (bintray.com), not uploaded to maven.

[jbaruch]

Hey folks, Baruch here, Developer Advocate with JFrog, the maintainer of Bintray (and jcenter). I'd like to explain what happened.

As it was mentioned in the opening comment of this issue, the version of react-native in Maven Central and jcenter is ancient. Occasionally, people ask us if it's a bug that tons of new releases are missing, and we explain that no, it's just FB didn't publish any news versions to Maven Central or Bintray. That's fine. So far so good, and here's an interlude how jcenter works, which you need to understand what happened.
Generally, there are two approaches to central repositories (registries):

1. npm registry. It's officially a wild west, everybody can publish whatever they like under (almost) every name, and it's up to the user to figure it out.

Pros of this approach:

• Simple, immediate publishing
• You can play with it, publish whatever HelloWorld you want into it in 2 minutes

Cons:

• #npmgate a.k.a. #unpublishgate. Someone took someone else's name and the hell broke loose.

2. Maven Central. Strict "official packages only" policy. People on a payroll make sure that only the official packages make it to Maven Central.

Pros:

• You can count on it. If something is in Maven Central, it's legit (well, let's say 99% of the time?)

Cons:

• You don't have your own "unofficial" playground. For example, you can't fork a library and then upload it under the same name in your separate space for your team to use. Note, I am not talking about permissions, but about namespacing. You can't have your own version of native-react in Maven Central.
• Human factor. An attacker can trick the reviewers to allow a fake package into Maven Central.

We, in Bintray, tried to find the middle ground. The way it works is everybody can create their own repositories, and publish their packages there. They will be most of the time public, but they won't be considered "official" in any way.
There are also curated, official repositories, like jcenter. You can request an inclusion to that repository, and after a verification (heads up – that's where we screwed up this time) your package will be included in the curated repository. If a package was included in jcenter, it usually means it can be trusted and won't be unpublished (since it was already vetoed).

Pros:

• All the pros of npm registry in your own repositories. Play with it, create your on versions of other people's package, do whatever you want.
• All the pros of Maven Central in jcenter and other curated repositories. You can count on it.

Cons:

• The human factor in the review of the inclusion requests. An attacker can trick the reviewers to allow a fake package to be included in the curated repository.

And that's exactly what happened. Someone, realizing the fact that form one side, react-native is not published on Maven Central and jcenter, and from other side people are still trying to resolve it from jcenter, decided to use this lack of supply and the constant demand to trick us. They created a fake artifact using the coordinates of react-native in their private repository and submitted an inclusion request to jcenter. Alas, we approved it, and that's how a resolution of the official coordinates of react-native from jcenter ended up in downloading a fake artifact.

We unlinked the fake package from jcenter and banned the abuser from Bintray.

We'll review our inclusion request process and make our best effort to prevent such incidents in the future.

Thank you for understanding.

P.S. the best way to prevent impostors from abusing your namespace is to publish the artifacts yourselves. I understand that you might not want to put your trust in Bintray after this incident, but considering you do have users who resolve react-native from jcenter with Gradle it might be something worth doing anyway. I am at your service, of course, with any help you might need if you decide to take this path.

Sorry again for the mess!

[jgreen210]

It seems like gradle doesn't support restricting dependencies to specific repos (here, node_modules/): gradle/gradle#1369.

[MarkOSullivan94]

Was reading issue #19259. Curious, does the changes cause some issues with RN plugins which are used in RN projects as well? I've noticed some weird behaviour in our app since yesterday (not sure if it's related)

[cpojer]

Thanks for the thorough reply @jbaruch. It seems like there isn't much actionable stuff left to do here so I'm gonna go ahead and close this issue.

[zsajjad]

Wallmart are hosting all react-native versions on maven here

Following code does work!

    implementation "com.walmartlabs.ern:react-native:0.59.4"