Open meltsufin opened 5 years ago
It probably shouldn't shade this. Rather it should simply depend on the usual jar rather than bundling it.
Pasting my findings on duplicate class via Maven extra-enforcer rule's banDuplicateClasses:
Duplicate classes found:
Found in:
com.google.endpoints:endpoints-management-control-appengine-all:jar:1.0.11:compile
javax.transaction:transaction-api:jar:1.1:compile
Duplicate classes:
javax/transaction/SystemException.class
(...omit ...)
javax/transaction/TransactionSynchronizationRegistry.class
Found in:
com.google.errorprone:error_prone_annotations:jar:2.3.2:compile
com.google.endpoints:endpoints-management-control-appengine-all:jar:1.0.11:compile
Duplicate classes:
com/google/errorprone/annotations/Var.class
com/google/errorprone/annotations/concurrent/LockMethod.class
com/google/errorprone/annotations/FormatString.class
(...omit ...)
com/google/errorprone/annotations/Immutable.class
com/google/errorprone/annotations/RestrictedApi.class
Found in:
com.google.code.findbugs:jsr305:jar:3.0.2:compile
com.google.endpoints:endpoints-management-control-appengine-all:jar:1.0.11:compile
Duplicate classes:
javax/annotation/WillCloseWhenClosed.class
javax/annotation/meta/TypeQualifierValidator.class
javax/annotation/concurrent/Immutable.class
(...omit ...)
javax/annotation/RegEx$Checker.class
Found in:
org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.21:compile
javax.servlet:servlet-api:jar:2.5:compile
com.google.endpoints:endpoints-management-control-appengine-all:jar:1.0.11:compile
Duplicate classes:
javax/servlet/http/HttpSessionAttributeListener.class
javax/servlet/SingleThreadModel.class
(...omit ...)
javax/servlet/http/HttpSession.class
javax/servlet/http/HttpSessionEvent.class
Found in:
com.google.endpoints:endpoints-management-control-appengine-all:jar:1.0.11:compile
io.opencensus:opencensus-contrib-grpc-metrics:jar:0.19.2:compile
Duplicate classes:
io/opencensus/contrib/grpc/metrics/RpcViews.class
io/opencensus/contrib/grpc/metrics/RpcViewConstants.class
io/opencensus/contrib/grpc/metrics/RpcMeasureConstants.class
Found in:
com.google.endpoints:endpoints-management-control-appengine-all:jar:1.0.11:compile
javax.jdo:jdo2-api:jar:2.3-eb:compile
Duplicate classes:
javax/jdo/annotations/ForeignKey.class
javax/jdo/spi/JDOImplHelper.class
(...omit ...)
javax/jdo/listener/LoadLifecycleListener.class
javax/jdo/annotations/PersistenceCapable.class
Found in:
io.opencensus:opencensus-api:jar:0.23.0:compile
com.google.endpoints:endpoints-management-control-appengine-all:jar:1.0.11:compile
Duplicate classes:
io/opencensus/stats/AutoValue_ViewData.class
io/opencensus/trace/TraceOptions$Builder.class
(...omit ...)
io/opencensus/tags/unsafe/ContextUtils$1.class
io/opencensus/trace/samplers/Samplers.class
io/opencensus/stats/Aggregation.class
Found in:
com.google.endpoints:endpoints-management-control-appengine-all:jar:1.0.11:compile
com.google.api.grpc:proto-google-common-protos:jar:1.16.0:compile
Duplicate classes:
com/google/cloud/audit/AuthorizationInfo$Builder.class
com/google/cloud/audit/AuthenticationInfo.class
(...omit ...)
com/google/cloud/audit/AuditLogOrBuilder.class
com/google/cloud/audit/AuthenticationInfoOrBuilder.class
These are the risks endpoints-management-control-appengine-all
may shadow classes at users' runtime.
Again, the issue is not that it doesn't shade these classes. It shouldn't shade them. It shouldn't bundle them either.
I agree that this library should not shade dependencies.
This is causing diamond dependency issues.
See: https://github.com/spring-cloud/spring-cloud-gcp/issues/1815#issuecomment-521392758