Open westito opened 11 months ago
We delegate to Gradle for resolution, which should be looking at the maven-metadata.xml
to find the version candidates. Which repositories are you using? I recall jcenter used to bad results (mix of new and stale) which could confuse Gradle's dependency resolver.
Central: maven-metadata.xml
I use these:
google()
jcenter()
mavenCentral()
maven { url "https://jitpack.io" }
I tried with a single repository (only jcenter or mavenCentral) and cleared gradle / Studio cache, but the result is the same.
Gradle: v8.2.1 (tried v8.0.2 too) com.android.tools.build:gradle:8.1.0 (tried 8.0.2 too)
Gradle logs this XMLs when checking version:
https://repo.maven.apache.org/maven2/com/squareup/okhttp3/okhttp/maven-metadata.xml
https://repo.maven.apache.org/maven2/com/squareup/okhttp3/okhttp/4.10.0/okhttp-4.10.0.pom / module
https://repo.maven.apache.org/maven2/com/squareup/okhttp3/okhttp/4.9.3/okhttp-4.9.3.pom / module
https://repo.maven.apache.org/maven2/com/squareup/okhttp3/okhttp/5.0.0-alpha [ lot of alphas ]
Linter reports the right version in build.gradle file inspection: A newer version of com.squareup.okhttp3:okhttp than 4.9.3 is available: 4.11.0
I wrote a minimal example which works,
plugins {
id 'com.github.ben-manes.versions' version '0.47.0'
id 'java-library'
}
repositories {
mavenCentral()
}
def isNonStable = { String version ->
def stableKeyword = ['RELEASE', 'FINAL', 'GA'].any { it -> version.toUpperCase().contains(it) }
def regex = /^[0-9,.v-]+(-r)?$/
return !stableKeyword && !(version ==~ regex)
}
tasks.named("dependencyUpdates").configure {
rejectVersionIf {
isNonStable(it.candidate.version)
}
}
dependencies {
implementation('com.squareup.okhttp3:okhttp:4.9.2')
}
$ gradle dU --refresh-dependencies -q
------------------------------------------------------------
: Project Dependency Updates (report to plain text file)
------------------------------------------------------------
The following dependencies are using the latest milestone version:
- com.github.ben-manes.versions:com.github.ben-manes.versions.gradle.plugin:0.47.0
The following dependencies have later milestone versions:
- com.squareup.okhttp3:okhttp [4.9.2 -> 4.11.0]
https://square.github.io/okhttp/
Gradle release-candidate updates:
- Gradle: [8.0.2 -> 8.2.1 -> 8.3-rc-1]
This is a blank Android project I generated with Android Studio and added the gradle versions plugin. It is also not working for me, same result as above. I also tried with --refresh-dependencies -q
parameters added, without success.
Project: MyApplication2.zip
Android Studio Giraffe | 2022.3.1
Build #AI-223.8836.35.2231.10406996, built on June 29, 2023
Runtime version: 17.0.6+0-17.0.6b829.9-10027231 aarch64
VM: OpenJDK 64-Bit Server VM by JetBrains s.r.o.
macOS 13.4.1
GC: G1 Young Generation, G1 Old Generation
Memory: 2048M
Cores: 10
Metal Rendering is ON
Registry:
editor.focus.mode.color.light=474747
ide.editor.tab.selection.animation=true
external.system.auto.import.disabled=true
ide.text.editor.with.preview.show.floating.toolbar=false
ide.new.editor.tabs.vertical.borders=true
ide.balloon.shadow.size=0
editor.focus.mode.color.dark=474747
Non-Bundled Plugins:
com.github.copilot (1.2.15.2816)
com.intellij.marketplace (223.8836.56)
com.dubreuia (2.3.0)
com.chrisrm.idea.MaterialThemeUI (8.4.1)
7:42:51: Executing 'dependencyUpdates'...
Executing tasks: [dependencyUpdates] in project /Users/westito/Projects/MyApplication2
> Task :dependencyUpdates
------------------------------------------------------------
: Project Dependency Updates (report to plain text file)
------------------------------------------------------------
The following dependencies are using the latest milestone version:
- androidx.core:core-ktx:1.9.0
- androidx.lifecycle:lifecycle-runtime-ktx:2.6.1
- androidx.test.espresso:espresso-core:3.5.1
- androidx.test.ext:junit:1.1.5
- com.android.application:com.android.application.gradle.plugin:8.1.0
- com.github.ben-manes.versions:com.github.ben-manes.versions.gradle.plugin:0.47.0
- com.squareup.okhttp3:okhttp:4.9.3
- junit:junit:4.13.2
- org.jetbrains.kotlin:kotlin-compiler-embeddable:1.8.10
- org.jetbrains.kotlin:kotlin-klib-commonizer-embeddable:1.8.10
- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.8.10
The following dependencies have later milestone versions:
- androidx.activity:activity-compose [1.7.0 -> 1.7.2]
https://developer.android.com/jetpack/androidx/releases/activity#1.7.0
- androidx.compose:compose-bom [2023.03.00 -> 2023.06.01]
https://developer.android.com/jetpack
- androidx.compose.compiler:compiler [1.4.3 -> 1.5.0]
https://developer.android.com/jetpack/androidx/releases/compose-compiler#1.5.0
- androidx.compose.material3:material3 [1.0.0 -> 1.1.1]
https://developer.android.com/jetpack/androidx/releases/compose-material3#1.0.0
- androidx.compose.ui:ui [1.4.0 -> 1.4.3]
https://developer.android.com/jetpack/androidx/releases/compose-ui#1.4.0
- androidx.compose.ui:ui-graphics [1.4.0 -> 1.4.3]
https://developer.android.com/jetpack/androidx/releases/compose-ui#1.4.3
- androidx.compose.ui:ui-test-junit4 [1.4.0 -> 1.4.3]
https://developer.android.com/jetpack/androidx/releases/compose-ui#1.4.3
- androidx.compose.ui:ui-test-manifest [1.4.0 -> 1.4.3]
https://developer.android.com/jetpack/androidx/releases/compose-ui#1.4.3
- androidx.compose.ui:ui-tooling [1.4.0 -> 1.4.3]
https://developer.android.com/jetpack/androidx/releases/compose-ui#1.4.0
- androidx.compose.ui:ui-tooling-preview [1.4.0 -> 1.4.3]
https://developer.android.com/jetpack/androidx/releases/compose-ui#1.4.3
- org.jetbrains.kotlin.android:org.jetbrains.kotlin.android.gradle.plugin [1.8.10 -> 1.9.0]
https://kotlinlang.org/
Gradle release-candidate updates:
- Gradle: [8.0 -> 8.2.1 -> 8.3-rc-1]
Generated report file build/dependencyUpdates/report.txt
> Task :app:dependencyUpdates
------------------------------------------------------------
:app Project Dependency Updates (report to plain text file)
------------------------------------------------------------
The following dependencies are using the latest milestone version:
- androidx.core:core-ktx:1.9.0
- androidx.lifecycle:lifecycle-runtime-ktx:2.6.1
- androidx.test.espresso:espresso-core:3.5.1
- androidx.test.ext:junit:1.1.5
- com.squareup.okhttp3:okhttp:4.9.3
- junit:junit:4.13.2
- org.jetbrains.kotlin:kotlin-compiler-embeddable:1.8.10
- org.jetbrains.kotlin:kotlin-klib-commonizer-embeddable:1.8.10
- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.8.10
The following dependencies have later milestone versions:
- androidx.activity:activity-compose [1.7.0 -> 1.7.2]
https://developer.android.com/jetpack/androidx/releases/activity#1.7.0
- androidx.compose:compose-bom [2023.03.00 -> 2023.06.01]
https://developer.android.com/jetpack
- androidx.compose.compiler:compiler [1.4.3 -> 1.5.0]
https://developer.android.com/jetpack/androidx/releases/compose-compiler#1.5.0
- androidx.compose.material3:material3 [1.0.0 -> 1.1.1]
https://developer.android.com/jetpack/androidx/releases/compose-material3#1.0.0
- androidx.compose.ui:ui [1.4.0 -> 1.4.3]
https://developer.android.com/jetpack/androidx/releases/compose-ui#1.4.3
- androidx.compose.ui:ui-graphics [1.4.0 -> 1.4.3]
https://developer.android.com/jetpack/androidx/releases/compose-ui#1.4.3
- androidx.compose.ui:ui-test-junit4 [1.4.0 -> 1.4.3]
https://developer.android.com/jetpack/androidx/releases/compose-ui#1.4.3
- androidx.compose.ui:ui-test-manifest [1.4.0 -> 1.4.3]
https://developer.android.com/jetpack/androidx/releases/compose-ui#1.4.3
- androidx.compose.ui:ui-tooling [1.4.0 -> 1.4.3]
https://developer.android.com/jetpack/androidx/releases/compose-ui#1.4.0
- androidx.compose.ui:ui-tooling-preview [1.4.0 -> 1.4.3]
https://developer.android.com/jetpack/androidx/releases/compose-ui#1.4.3
Gradle release-candidate updates:
- Gradle: [8.0 -> 8.2.1 -> 8.3-rc-1]
Generated report file build/dependencyUpdates/report.txt
BUILD SUCCESSFUL in 1s
2 actionable tasks: 2 executed
Build Analyzer results available
7:42:53: Execution finished 'dependencyUpdates'.
is there any type of bom or other attribute restrictions? I see the same in that project and it is not rejected. It might be something weird like a kotlin stdlib compatibility issue, causing Gradle to not select it? I know Android/Kotlin do very funky things that can break Gradle in weird ways.
tasks.named("dependencyUpdates").configure {
resolutionStrategy {
componentSelection {
all {
if (isNonStable(it.candidate.version)) {
println candidate
reject('Release candidate')
}
}
}
}
}
Unfortunately you might need to ask the Gradle folks directly. Nothing in the debug log or module metadata stands out to me, but the resolution is done by them. Something is restricting it, but it is their apis and the non-Android sample worked fine.
minimally switching between Android and Java is enough to see this foreign restriction being applied. I just don't know the guts of Android or Gradle enough to explain why it is doing this.
plugins {
id 'com.android.application'
//id 'java-library'
}
android {
namespace 'com.example.myapplication'
compileSdk 33
}
dependencies {
api 'com.squareup.okhttp3:okhttp:4.9.3'
}
I found the issue! When I use version 4.10.0
then the latest version offered! I think it is about semantic versioning. Upgradable from 1.10.x
, but not from 4.9.x
. Not allows MINOR upgrade, only PATCH.
- com.squareup.okhttp3:okhttp [4.10.0 -> 4.11.0]
Odd! I still don’t understand why it’s so weird, but great find
Is there a workaround and/or upstream issue that we can follow? This issue makes using the plugin a deal breaker, since it does not do the one thing it's supposed to (report outdated dependencies)
In this case it is something weird from the Android plugin authors. As I am not an android developer or have a relationship with their team or ecosystem, it makes more sense for users to file a ticket with them and link here as they have an interest in getting it resolved. I'm happy to help, but it's not really in scope for me to chase this down and try to get a fix out of them.
I can file an issue, but I'm not too familiar with the internals. Which API is AGP breaking?
They are placing some type of restriction on the dynamic resolution, +
, for finding the latest version. That could be a resolution strategy, a constraint, gradle module metadata, etc. You can see in this sample that switching between java and AGP is enough to have different behavior. Nothing was obvious, maybe there is a security issue for a banned version, but all I could tell is their plugin changed what Gradle resolved to.
Thanks for the info, I've created an upstream bug here: https://issuetracker.google.com/issues/311414913
Hi @ben-manes Just to add to this, I also get this issue for a couple of dependencies:
org.apache.logging.log4j:log4j-core:3.0.0-beta2: 3.0.0-beta2 -> stable=false
org.apache.logging.log4j:log4j-core:3.0.0-beta1: 3.0.0-beta1 -> stable=false
org.apache.logging.log4j:log4j-core:3.0.0-alpha1: 3.0.0-alpha1 -> stable=false
org.apache.logging.log4j:log4j-core:2.23.1: 2.23.1 -> stable=true
org.slf4j:slf4j-api:2.1.0-alpha1: 2.1.0-alpha1 -> stable=false
org.slf4j:slf4j-api:2.1.0-alpha0: 2.1.0-alpha0 -> stable=false
org.slf4j:slf4j-api:2.0.13: 2.0.13 -> stable=true
Here is my rejectIf
function:
fun isNonStable(name: String, version: String): Boolean {
val stableKeyword = listOf("RELEASE", "FINAL", "GA").any { version.toUpperCaseAsciiOnly().contains(it) }
val regex = "^[0-9,.v-]+$".toRegex()
val isStable = stableKeyword || regex.matches(version)
println("$name: $version -> stable=$isStable")
return isStable.not()
}
I added the println to help show this issue...
I am using id("com.github.ben-manes.versions") version "0.51.0"
You might inspect the info log to see if a reject reason is given for a problematic version. An external resolution rule, constraint, locking, etc may be interfering with the evaluation. Since we resolve using gradle other configuration is at play, for good or bad.
I have declared
com.squareup.okhttp3:okhttp:4.9.3
in my build.gradle file. When no version filter added, it prints there is a new alpha (5.0.0-alpha.11) version. So I added the version rejecter described in readme.md. As the result, it is not reporting outdated, but also not reports the newercom.squareup.okhttp3:okhttp:4.11.0
version. It saysBut it isn't true! I add a debug printer in the
rejectVersionIf
script and it is returnsSo it seems this script working, somehow the plugin rejects stable version too if alpha rejected.