Olical / depot

Find newer versions of your dependencies in your deps.edn file
https://clojars.org/olical/depot
The Unlicense
260 stars 14 forks source link

NoSuchMethodError #23

Closed pmonks closed 5 years ago

pmonks commented 5 years ago

I've been happily using depot for some time, including on a project I'm actively working on, but recently it started throwing this exception with this project:

Exception in thread "main" java.util.concurrent.ExecutionException: java.lang.NoSuchMethodError: org.eclipse.aether.util.ConfigUtils.getFloat(Ljava/util/Map;F[Ljava/lang/String;)F
    at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
    at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
    at clojure.core$deref_future.invokeStatic(core.clj:2300)
    at clojure.core$future_call$reify__8439.deref(core.clj:6974)
    at clojure.core$deref.invokeStatic(core.clj:2320)
    at clojure.core$deref.invoke(core.clj:2306)
    at clojure.core$map$fn__5851.invoke(core.clj:2755)
    at clojure.lang.LazySeq.sval(LazySeq.java:42)
    at clojure.lang.LazySeq.seq(LazySeq.java:58)
    at clojure.lang.RT.seq(RT.java:531)
    at clojure.core$seq__5387.invokeStatic(core.clj:137)
    at clojure.core$keep$fn__8544.invoke(core.clj:7330)
    at clojure.lang.LazySeq.sval(LazySeq.java:42)
    at clojure.lang.LazySeq.seq(LazySeq.java:51)
    at clojure.lang.RT.seq(RT.java:531)
    at clojure.core$seq__5387.invokeStatic(core.clj:137)
    at clojure.core$sort.invokeStatic(core.clj:3113)
    at clojure.core$sort_by.invokeStatic(core.clj:3119)
    at clojure.core$sort_by.invokeStatic(core.clj:3119)
    at clojure.core$sort_by.invoke(core.clj:3119)
    at depot.outdated$gather_outdated.invokeStatic(outdated.clj:122)
    at depot.outdated$gather_outdated.invoke(outdated.clj:104)
    at depot.outdated.main$_main.invokeStatic(main.clj:55)
    at depot.outdated.main$_main.doInvoke(main.clj:33)
    at clojure.lang.RestFn.applyTo(RestFn.java:137)
    at clojure.lang.Var.applyTo(Var.java:705)
    at clojure.core$apply.invokeStatic(core.clj:665)
    at clojure.main$main_opt.invokeStatic(main.clj:491)
    at clojure.main$main_opt.invoke(main.clj:487)
    at clojure.main$main.invokeStatic(main.clj:598)
    at clojure.main$main.doInvoke(main.clj:561)
    at clojure.lang.RestFn.applyTo(RestFn.java:137)
    at clojure.lang.Var.applyTo(Var.java:705)
    at clojure.main.main(main.java:37)
Caused by: java.lang.NoSuchMethodError: org.eclipse.aether.util.ConfigUtils.getFloat(Ljava/util/Map;F[Ljava/lang/String;)F
    at org.eclipse.aether.internal.impl.PrioritizedComponents.add(PrioritizedComponents.java:66)
    at org.eclipse.aether.internal.impl.DefaultLocalRepositoryProvider.newLocalRepositoryManager(DefaultLocalRepositoryProvider.java:104)
    at org.eclipse.aether.internal.impl.DefaultRepositorySystem.newLocalRepositoryManager(DefaultRepositorySystem.java:392)
    at depot.outdated$make_session.invokeStatic(outdated.clj:28)
    at depot.outdated$make_session.invoke(outdated.clj:25)
    at depot.outdated$coord__GT_version_status.invokeStatic(outdated.clj:36)
    at depot.outdated$coord__GT_version_status.invoke(outdated.clj:32)
    at depot.outdated$eval1367$fn__1369.invoke(outdated.clj:63)
    at clojure.lang.MultiFn.invoke(MultiFn.java:239)
    at depot.outdated$current_latest_map.invokeStatic(outdated.clj:102)
    at depot.outdated$current_latest_map.invoke(outdated.clj:98)
    at depot.outdated$gather_outdated$fn__1393.invoke(outdated.clj:113)
    at clojure.core$pmap$fn__8447$fn__8448.invoke(core.clj:7022)
    at clojure.core$binding_conveyor_fn$fn__5739.invoke(core.clj:2030)
    at clojure.lang.AFn.call(AFn.java:18)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:834)

I assume (but have not confirmed) that a change in my project's own dependencies conflicted with depot's own dependencies. Here's my deps.edn:

{:deps    {org.clojure/clojure              {:mvn/version "1.10.0"}
           org.clojure/data.zip             {:mvn/version "0.1.3"}
           version-clj                      {:mvn/version "0.1.2"}
           org.owasp/dependency-check-maven {:mvn/version "4.0.2"}
           eu.7bridges/corallo              {:mvn/version "0.1.1"}}
 :aliases {:check        {:extra-deps {athos/clj-check {:git/url "https://github.com/athos/clj-check.git"
                                                        :sha "b48d4e7000586529f81c1e29069b503b57259514"}}
                          :main-opts ["-m" "clj-check.check"]}                          ; clj -A:check
           :test         {:extra-paths ["test"]}
           :ancient      {:extra-deps {olical/depot {:mvn/version "1.8.2"}}             ; clj -A:ancient
                          :main-opts  ["-m" "depot.outdated.main"]}
           :uberjar      {:extra-deps {luchiniatwork/cambada {:mvn/version "1.0.0"}}    ; clj -A:uberjar
                          :main-opts  ["-m" "cambada.uberjar"
                                       "-m" "clojars-dependencies.main"]}
           :native-image {:extra-deps {luchiniatwork/cambada {:mvn/version "1.0.0"}}    ; clj -A:native-image
                          :main-opts  ["-m" "cambada.native-image"
                                       "-m" "clojars-dependencies.main"]}}}
Olical commented 5 years ago

Aha, well that's odd. I can see aether in that stack trace, so maybe it's a conflicting version there, yeah. Definitely not from a change on depot's side, it's been pretty stable and hasn't changed much at all recently. Try clj -Stree and have a look through there for things that don't seem to match up I guess?

I've never really had to resolve these sorts of conflicts in the past I'm afraid.

pmonks commented 5 years ago

Here's the output from clj -Stree:

$ clj -Stree
org.clojure/clojure 1.10.0
  org.clojure/core.specs.alpha 0.2.44
  org.clojure/spec.alpha 0.2.176
org.clojure/data.zip 0.1.3
aysylu/loom 1.0.2
  tailrecursion/cljs-priority-map 1.2.1
    org.clojure/clojurescript 1.7.170
      org.clojure/data.json 0.2.6
      org.clojure/google-closure-library 0.0-20151016-61277aea
        org.clojure/google-closure-library-third-party 0.0-20151016-61277aea
      org.mozilla/rhino 1.7R5
      com.google.javascript/closure-compiler v20151015
      org.clojure/tools.reader 0.10.0-alpha3
  org.clojure/data.priority-map 0.0.5
org.owasp/dependency-check-maven 4.0.2
  org.apache.maven.reporting/maven-reporting-api 3.0
    org.apache.maven.doxia/doxia-sink-api 1.0
  org.apache.maven.shared/maven-dependency-tree 3.0.1
    org.eclipse.aether/aether-util 0.9.0.M2
  org.apache.maven.shared/file-management 3.0.0
    org.apache.maven.shared/maven-shared-io 3.0.0
      org.apache.maven.wagon/wagon-provider-api 2.10
      org.apache.maven/maven-compat 3.0
    org.apache.maven/maven-plugin-api 3.0
      org.sonatype.sisu/sisu-inject-plexus 1.4.2
        org.sonatype.sisu/sisu-inject-bean 1.4.2
          org.sonatype.sisu/sisu-guice$noaop 2.1.7
      org.apache.maven/maven-model 3.0
  org.owasp/dependency-check-core 4.0.2
    joda-time/joda-time 1.6
    org.apache.commons/commons-compress 1.18
    com.h3xstream.retirejs/retirejs-core 3.0.1
      com.esotericsoftware/minlog 1.3
      com.github.spullara.mustache.java/compiler 0.8.17
      org.json/json 20140107
    org.apache.lucene/lucene-analyzers-common 7.6.0
    com.h2database/h2 1.4.196
    commons-io/commons-io 2.6
    commons-collections/commons-collections 3.2.2
    org.apache.lucene/lucene-core 7.6.0
    org.apache.lucene/lucene-queryparser 7.6.0
      org.apache.lucene/lucene-queries 7.6.0
      org.apache.lucene/lucene-sandbox 7.6.0
    org.apache.commons/commons-text 1.3
      org.apache.commons/commons-lang3 3.7
    com.google.guava/guava 27.0.1-jre
      com.google.errorprone/error_prone_annotations 2.2.0
      org.codehaus.mojo/animal-sniffer-annotations 1.17
      com.google.guava/listenablefuture 9999.0-empty-to-avoid-conflict-with-guava
      com.google.guava/failureaccess 1.0.1
      com.google.j2objc/j2objc-annotations 1.1
      org.checkerframework/checker-qual 2.5.2
      com.google.code.findbugs/jsr305 3.0.2
    org.apache.velocity/velocity 1.7
      commons-lang/commons-lang 2.4
    com.sun.mail/mailapi 1.6.3
    com.vdurmont/semver4j 2.2.0
    org.jsoup/jsoup 1.11.3
    org.slf4j/slf4j-api 1.7.25
    org.glassfish/javax.json 1.0.4
    com.google.code.gson/gson 2.8.5
  org.owasp/dependency-check-utils 4.0.2
  org.apache.maven.shared/maven-artifact-transfer 0.10.1
    commons-codec/commons-codec 1.11
    org.codehaus.plexus/plexus-component-annotations 1.7.1
    org.codehaus.plexus/plexus-utils 3.1.0
    org.apache.maven/maven-core 3.0
      org.sonatype.aether/aether-util 1.7
      org.apache.maven/maven-model-builder 3.0
      org.apache.maven/maven-settings-builder 3.0
      org.apache.maven/maven-settings 3.0
      org.apache.maven/maven-aether-provider 3.0
      org.sonatype.aether/aether-impl 1.7
        org.sonatype.aether/aether-spi 1.7
      org.codehaus.plexus/plexus-classworlds 2.2.3
      org.codehaus.plexus/plexus-interpolation 1.14
      org.sonatype.aether/aether-api 1.7
      org.apache.maven/maven-repository-metadata 3.0
    org.apache.maven.shared/maven-common-artifact-filters 3.0.1
      org.apache.maven.shared/maven-shared-utils 3.1.0
    org.apache.maven/maven-artifact 3.0
  org.sonatype.plexus/plexus-sec-dispatcher 1.4
    org.sonatype.plexus/plexus-cipher 1.4
version-clj/version-clj 0.1.2

I see a few different aether artifacts in there, but no obvious conflicts based solely on GAVs (though it's entirely possible that different JARs contain the same class, which would be unfortunate...).

Olical commented 5 years ago

So this wouldn't happen to be fixed in 1.8.4 would it?

pmonks commented 5 years ago

I’m not in a position to check until late July, but if you’d like to try yourself the project where this is occurring is here.

Olical commented 5 years ago

Please update again this was due to a bad deploy and has since been fixed. Sorry about that!

On Wed, 3 Jul 2019, 04:18 Peter Monks, notifications@github.com wrote:

I’m not in a position to check until late July, but if you’d like to try yourself the project is here https://github.com/pmonks/clojars-dependencies.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Olical/depot/issues/23?email_source=notifications&email_token=AACM6XJJ7SIOAOYNJEBJO2LP5QLAHA5CNFSM4HSVBGNKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZDEJHA#issuecomment-507921564, or mute the thread https://github.com/notifications/unsubscribe-auth/AACM6XPQBXURPPAVDGFU55LP5QLAHANCNFSM4HSVBGNA .

Olical commented 5 years ago

I actually thought this was a new issue and replied by email :man_facepalming: my bad! I realised my prompt to update looked pretty weird and pushy after that. I thought it was someone having an issue with the previous version which was a broken deploy. Take your time! :smile:

pmonks commented 5 years ago

No worries - I appreciated the update, tbh! 😃

I’m traveling without a laptop right now, but once I get home I’ll give the new version a shot.

Thanks!

pmonks commented 5 years ago

Ok finally had a chance to upgrade and try it again, but I'm still getting an error with v1.8.4:

$ clj -A:ancient
Execution error (NoSuchMethodError) at org.eclipse.aether.internal.impl.PrioritizedComponents/add (PrioritizedComponents.java:66).
org.eclipse.aether.util.ConfigUtils.getFloat(Ljava/util/Map;F[Ljava/lang/String;)F

Full report at:
/var/folders/x4/jg66qz6n3dqd4fwxgfsp3j2h0000gn/T/clojure-2910453177622845879.edn

Contents of /var/folders/x4/jg66qz6n3dqd4fwxgfsp3j2h0000gn/T/clojure-2910453177622845879.edn:

{:clojure.main/message
 "Execution error (NoSuchMethodError) at org.eclipse.aether.internal.impl.PrioritizedComponents/add (PrioritizedComponents.java:66).\norg.eclipse.aether.util.ConfigUtils.getFloat(Ljava/util/Map;F[Ljava/lang/String;)F\n",
 :clojure.main/triage
 {:clojure.error/class java.lang.NoSuchMethodError,
  :clojure.error/line 66,
  :clojure.error/cause
  "org.eclipse.aether.util.ConfigUtils.getFloat(Ljava/util/Map;F[Ljava/lang/String;)F",
  :clojure.error/symbol
  org.eclipse.aether.internal.impl.PrioritizedComponents/add,
  :clojure.error/source "PrioritizedComponents.java",
  :clojure.error/phase :execution},
 :clojure.main/trace
 {:via
  [{:type java.util.concurrent.ExecutionException,
    :message
    "java.lang.NoSuchMethodError: org.eclipse.aether.util.ConfigUtils.getFloat(Ljava/util/Map;F[Ljava/lang/String;)F",
    :at [java.util.concurrent.FutureTask report "FutureTask.java" 122]}
   {:type java.lang.NoSuchMethodError,
    :message
    "org.eclipse.aether.util.ConfigUtils.getFloat(Ljava/util/Map;F[Ljava/lang/String;)F",
    :at
    [org.eclipse.aether.internal.impl.PrioritizedComponents
     add
     "PrioritizedComponents.java"
     66]}],
  :trace
  [[org.eclipse.aether.internal.impl.PrioritizedComponents
    add
    "PrioritizedComponents.java"
    66]
   [org.eclipse.aether.internal.impl.DefaultLocalRepositoryProvider
    newLocalRepositoryManager
    "DefaultLocalRepositoryProvider.java"
    104]
   [org.eclipse.aether.internal.impl.DefaultRepositorySystem
    newLocalRepositoryManager
    "DefaultRepositorySystem.java"
    392]
   [depot.outdated$make_session invokeStatic "outdated.clj" 28]
   [depot.outdated$make_session invoke "outdated.clj" 25]
   [depot.outdated$coord__GT_version_status
    invokeStatic
    "outdated.clj"
    36]
   [depot.outdated$coord__GT_version_status invoke "outdated.clj" 32]
   [depot.outdated$eval1375$fn__1377 invoke "outdated.clj" 63]
   [clojure.lang.MultiFn invoke "MultiFn.java" 239]
   [depot.outdated$current_latest_map invokeStatic "outdated.clj" 102]
   [depot.outdated$current_latest_map invoke "outdated.clj" 98]
   [depot.outdated$gather_outdated$fn__1401 invoke "outdated.clj" 112]
   [clojure.core$pmap$fn__8462$fn__8463 invoke "core.clj" 7022]
   [clojure.core$binding_conveyor_fn$fn__5754 invoke "core.clj" 2030]
   [clojure.lang.AFn call "AFn.java" 18]
   [java.util.concurrent.FutureTask run "FutureTask.java" 264]
   [java.util.concurrent.ThreadPoolExecutor
    runWorker
    "ThreadPoolExecutor.java"
    1128]
   [java.util.concurrent.ThreadPoolExecutor$Worker
    run
    "ThreadPoolExecutor.java"
    628]
   [java.lang.Thread run "Thread.java" 834]],
  :cause
  "org.eclipse.aether.util.ConfigUtils.getFloat(Ljava/util/Map;F[Ljava/lang/String;)F"}}
Olical commented 5 years ago

:thinking: not sure if anyone else is having this issue so I'm still wondering if it's to do with your other dependencies in your project. Like one of them is shifting some transitive dependency version slightly. Haven't had time to take a proper look at a bug, if I do it won't be for a little while yet :disappointed:

If I could reproduce it maybe I could work out some sort of workaround, just not sure how right now.

pmonks commented 5 years ago

The project where this is happening is open source, so you should be able to clone that repo and reproduce at will:

$ git clone https://github.com/pmonks/clojars-dependencies.git
$ cd clojars-dependencies
$ clj -A:ancient
Olical commented 5 years ago

So I commented out the dependencies one at the time and it worked after I got rid of org.owasp/dependency-check-maven, updating it to the latest version doesn't seem to work either, sadly. Maybe there's a way to exclude it while trying to use depot? I can't see it messing with any dependencies that depot requires, so it's pretty confusing.

Maybe it's treated as an optional dependency by some other dependency in the tree, so it's presence triggers some other path in some tool that I'm not aware of. I'm afraid I don't have any simple answers for this one.

pmonks commented 5 years ago

Sounds like a transitive dependency conflict, unless you also checked those?

We now know it’s a conflict between one of aether’s dependencies and either dependency-check-maven itself or one of its dependencies, which narrows down the hunt somewhat.

pmonks commented 5 years ago

I may have been a little optimistic; running clj -Aancient -Stree gives this tree:

org.clojure/clojure 1.10.1
  org.clojure/core.specs.alpha 0.2.44
  org.clojure/spec.alpha 0.2.176
org.clojure/data.zip 0.1.3
aysylu/loom 1.0.2
  tailrecursion/cljs-priority-map 1.2.1
  org.clojure/data.priority-map 0.0.5
org.owasp/dependency-check-maven 4.0.2
  org.apache.maven.reporting/maven-reporting-api 3.0
    org.apache.maven.doxia/doxia-sink-api 1.0
  org.apache.maven.shared/maven-dependency-tree 3.0.1
    org.eclipse.aether/aether-util 0.9.0.M2
  org.apache.maven.shared/file-management 3.0.0
    org.apache.maven.shared/maven-shared-io 3.0.0
      org.apache.maven/maven-compat 3.0
  org.owasp/dependency-check-core 4.0.2
    org.apache.commons/commons-compress 1.18
    com.h3xstream.retirejs/retirejs-core 3.0.1
      com.esotericsoftware/minlog 1.3
      com.github.spullara.mustache.java/compiler 0.8.17
      org.json/json 20140107
    org.apache.lucene/lucene-analyzers-common 7.6.0
    com.h2database/h2 1.4.196
    commons-io/commons-io 2.6
    commons-collections/commons-collections 3.2.2
    org.apache.lucene/lucene-core 7.6.0
    org.apache.lucene/lucene-queryparser 7.6.0
      org.apache.lucene/lucene-queries 7.6.0
      org.apache.lucene/lucene-sandbox 7.6.0
    org.apache.commons/commons-text 1.3
      org.apache.commons/commons-lang3 3.7
    com.google.guava/guava 27.0.1-jre
      com.google.errorprone/error_prone_annotations 2.2.0
      org.codehaus.mojo/animal-sniffer-annotations 1.17
      com.google.guava/listenablefuture 9999.0-empty-to-avoid-conflict-with-guava
      com.google.guava/failureaccess 1.0.1
      com.google.j2objc/j2objc-annotations 1.1
      org.checkerframework/checker-qual 2.5.2
      com.google.code.findbugs/jsr305 3.0.2
    org.apache.velocity/velocity 1.7
      commons-lang/commons-lang 2.4
    com.sun.mail/mailapi 1.6.3
    com.vdurmont/semver4j 2.2.0
    org.jsoup/jsoup 1.11.3
    org.slf4j/slf4j-api 1.7.25
    org.glassfish/javax.json 1.0.4
    com.google.code.gson/gson 2.8.5
  org.owasp/dependency-check-utils 4.0.2
  org.apache.maven.shared/maven-artifact-transfer 0.10.1
    commons-codec/commons-codec 1.11
    org.codehaus.plexus/plexus-component-annotations 1.7.1
    org.codehaus.plexus/plexus-utils 3.1.0
    org.apache.maven.shared/maven-common-artifact-filters 3.0.1
      org.apache.maven.shared/maven-shared-utils 3.1.0
  org.sonatype.plexus/plexus-sec-dispatcher 1.4
    org.sonatype.plexus/plexus-cipher 1.4
olical/depot 1.8.4
  org.clojure/tools.cli 0.4.1
  rewrite-clj/rewrite-clj 0.6.1
  org.clojure/clojurescript 1.10.520
    org.clojure/data.json 0.2.6
    org.clojure/google-closure-library 0.0-20170809-b9c14c6b
      org.clojure/google-closure-library-third-party 0.0-20170809-b9c14c6b
    org.mozilla/rhino 1.7R5
    com.cognitect/transit-clj 0.8.309
      com.cognitect/transit-java 0.8.332
        com.fasterxml.jackson.core/jackson-core 2.8.7
        org.msgpack/msgpack 0.6.12
          com.googlecode.json-simple/json-simple 1.1.1
          org.javassist/javassist 3.18.1-GA
    org.clojure/tools.reader 1.3.0
    com.google.javascript/closure-compiler-unshaded v20180805
      com.google.jsinterop/jsinterop-annotations 1.0.0
      com.google.javascript/closure-compiler-externs v20180805
      args4j/args4j 2.0.26
      com.google.protobuf/protobuf-java 3.0.2
  org.clojure/tools.deps.alpha 0.7.516
    org.springframework.build/aws-maven 5.0.0.RELEASE
    org.apache.maven.resolver/maven-resolver-transport-wagon 1.1.1
      org.apache.maven.wagon/wagon-provider-api 3.0.0
    org.apache.maven.resolver/maven-resolver-transport-http 1.1.1
      org.slf4j/jcl-over-slf4j 1.7.25
      org.apache.httpcomponents/httpcore 4.4.8
      org.apache.httpcomponents/httpclient 4.5.4
    org.apache.maven.resolver/maven-resolver-transport-file 1.1.1
    org.apache.maven/maven-core 3.5.2
      org.eclipse.sisu/org.eclipse.sisu.plexus 0.3.3
        javax.enterprise/cdi-api 1.0
          javax.annotation/jsr250-api 1.0
      org.apache.maven/maven-settings-builder 3.5.2
      org.apache.maven/maven-settings 3.5.2
      org.codehaus.plexus/plexus-classworlds 2.5.2
      com.google.inject/guice$no_aop 4.0
        aopalliance/aopalliance 1.0
      org.eclipse.sisu/org.eclipse.sisu.inject 0.3.3
      org.apache.maven/maven-builder-support 3.5.2
      org.apache.maven/maven-plugin-api 3.5.2
        org.sonatype.sisu/sisu-inject-plexus 1.4.2
          org.sonatype.sisu/sisu-inject-bean 1.4.2
            org.sonatype.sisu/sisu-guice$noaop 2.1.7
      org.apache.maven/maven-artifact 3.5.2
    org.apache.maven.resolver/maven-resolver-api 1.1.1
    org.apache.maven/maven-resolver-provider 3.5.2
      javax.inject/javax.inject 1
      org.apache.maven/maven-model-builder 3.5.2
        org.codehaus.plexus/plexus-interpolation 1.24
      org.apache.maven/maven-model 3.5.2
      org.apache.maven/maven-repository-metadata 3.5.2
    org.clojure/data.xml 0.2.0-alpha5
      org.clojure/data.codec 0.1.0
    org.apache.maven.resolver/maven-resolver-spi 1.1.1
    org.slf4j/slf4j-nop 1.6.2
    s3-wagon-private/s3-wagon-private 1.3.1
      com.fasterxml.jackson.core/jackson-databind 2.5.5
        com.fasterxml.jackson.core/jackson-annotations 2.5.0
      com.amazonaws/aws-java-sdk-s3 1.11.184
        com.amazonaws/jmespath-java 1.11.184
        com.amazonaws/aws-java-sdk-core 1.11.184
          joda-time/joda-time 2.8.1
          com.fasterxml.jackson.dataformat/jackson-dataformat-cbor 2.6.7
          software.amazon.ion/ion-java 1.0.2
          commons-logging/commons-logging 1.1.3
        com.amazonaws/aws-java-sdk-kms 1.11.184
    org.clojure/tools.gitlibs 0.2.64
      com.jcraft/jsch.agentproxy.jsch 0.0.9
      org.eclipse.jgit/org.eclipse.jgit 4.10.0.201712302008-r
        com.googlecode.javaewah/JavaEWAH 1.1.6
        com.jcraft/jsch 0.1.54
      com.jcraft/jsch.agentproxy.connector-factory 0.0.9
        com.jcraft/jsch.agentproxy.sshagent 0.0.9
        com.jcraft/jsch.agentproxy.usocket-jna 0.0.9
          net.java.dev.jna/jna 4.1.0
          net.java.dev.jna/jna-platform 4.1.0
        com.jcraft/jsch.agentproxy.pageant 0.0.9
        com.jcraft/jsch.agentproxy.core 0.0.9
        com.jcraft/jsch.agentproxy.usocket-nc 0.0.9
    org.apache.maven.resolver/maven-resolver-connector-basic 1.1.1
    org.apache.maven.resolver/maven-resolver-impl 1.1.1
    org.apache.maven.resolver/maven-resolver-util 1.1.1
version-clj/version-clj 0.1.2

Which has no obvious (to my eye) conflicts, at least at the artifact level. It's possible the problematic class (org.eclipse.aether.util.ConfigUtils) moved JARs at some point, but tracking that down is going to be a royal pita. 😢

pmonks commented 5 years ago

Upgrading org.owasp/dependency-check-maven to v5.2.1 didn't help either, FWIW.

Olical commented 5 years ago

Yep, I'm not sure if it's a straight conflict, like I couldn't see anything in a minimal depot project that is shared in this error stack. Which is what makes me think it's the presence of the library that causes something to require it and try to do something with it, like an optional dependency?

pmonks commented 5 years ago

What's a tad annoying is that I only use org.owasp/dependency-check-maven for its (very handy) XmlInputStream class. I guess I wasn't the only one who got fed up with the garbage POM files on Maven Central, but I digress...

Given that that class is based on a StackOverflow answer (plus it's Apache licensed) it's tempting to just copy that code out into my own project and ditch that dependency...

Olical commented 5 years ago

Hmm, yeah, ripping it out to remove the rest of the dep is probably the easiest and best thing to do. It's still annoying but I'm not sure what I can do to fix this, especially since it impacts a fraction of the potential projects out there.

Olical commented 5 years ago

So I'm chalking this up to "extremely rare and unlikely dependency conflict of some kind that I don't fully understand". I think working around this for the small amount of possible cases is the way to go for now.

If this is more common than I think right now I'll dig deeper and work out what's causing it. I'm still considering a rewrite of this one day to unify the "find updates" and "apply updates" halves of the code base, so it could go away with that.

Closing for now, thank you for all of the data and help! I'm sure it'll help a lot as and when I get around to patching this issue out somehow.