search

autonomousapps / dependency-analysis-gradle-plugin

Gradle plugin for JVM projects written in Java, Kotlin, Groovy, or Scala; and Android projects written in Java or Kotlin. Provides advice for managing dependencies and other applied plugins
Apache License 2.0
1.82k stars 120 forks source link

Guava checks ignore dependencies resolution that may bump guava to higher version #1307

Open Jacks0N23 opened 1 week ago

Jacks0N23 commented 1 week ago

Plugin version 2.4.2

Gradle version 8.11

JDK version 17

(Optional) Kotlin and Kotlin Gradle Plugin (KGP) version 2.0.21

(Optional) Android Gradle Plugin (AGP) version 8.7.2.

Describe the bug I cannot even configure project with latest version which include guava version check. Plugin says: 

The Dependency Analysis Gradle Plugin requires Guava 33.1.0 or higher. Your build is using Guava 32.1.3-jre,
which is too low. Please update your dependencies.

Guava was loaded in the classloader named

    ClassLoaderScopeIdentifier.Id{coreAndPlugins:settings[:](export)}

But when I print deps to understand from where I got wrong guava version I saw this:

+--- androidx.build.gradle.gcpbuildcache:androidx.build.gradle.gcpbuildcache.gradle.plugin:1.0.0
|    \--- androidx.build.gradle.gcpbuildcache:gcpbuildcache:1.0.0
|         +--- com.squareup.okhttp3:okhttp-bom:4.12.0
|         |    \--- com.squareup.okhttp3:okhttp:4.12.0 (c)
|         +--- com.google.cloud:google-cloud-storage:2.30.1
|         |    +--- com.google.guava:guava:32.1.3-jre -> 33.1.0-jre
|         |    +--- com.google.guava:failureaccess:1.0.1
|         |    +--- com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava

To Reproduce Idk minimal example, but my project looks similar to this

  1. composite build with two modules: 1.1 . build-logic-settings -> :build-logic-settings:build-cache -> implementation("androidx.build.gradle.gcpbuildcache:androidx.build.gradle.gcpbuildcache.gradle.plugin:1.0.0") 1.2 build-logic -> :build-logic:plugins -> implementation("com.autonomousapps:dependency-analysis-gradle-plugin:2.4.2") 1.3 try to bump guava here to at least 33.1.0 like implementation("com.google.guava:guava:33.1.0-jre")
  2. Try to sync
  3. You should get the same error

I found the only way to fix - to add implementation("com.google.guava:guava:33.1.0-jre") before lib that require guava. But it's even another composite project, it seems irrational, but my be I'm wrong

Expected behavior DAGP do not fails fast

Jacks0N23 commented 1 week ago

Maybe you should call checkGuava() only when it's required to call any task, not while configuration?

autonomousapps commented 1 week ago

Thanks for the issue! Could you please provide a minimal reproducer?