google-api-services-youtube docs prescribe commas which no longer exist

[DeannaGelbart]

• Programming language: Java
• OS: any
• Language runtime version: N/A
• Package version: since 1.30.1

Steps to reproduce

Starting with version 1.30.1 of clients/google-api-services-youtube/v3/VERSION/com/google/api/services/youtube/YouTube.java, the definition of the part field of the List class changed from private java.lang.String part to private java.util.List<java.lang.String> part, but the Javadoc documentation still describes part as a comma-separated list of properties(this description happens in several places in the file).

I guess there are no more commas between properties, and now there's one String per property instead? Is that correct?

[DeannaGelbart]

By the way, is it safe for me to use versions 1.30.1 and higher in production? I'm asking for two reasons

The /youtube/v3/java/latest/ docs on developers.google.com still have revision 222 in the title and still say java.lang.String part: https://developers.google.com/resources/api-libraries/documentation/youtube/v3/java/latest/com/google/api/services/youtube/YouTube.Videos.List.html

and the most recent google-api-services-youtube jar with an -rc suffix on maven.org is is version 3-rev222-1.18.0-rc: https://search.maven.org/artifact/com.google.apis/google-api-services-youtube/

[lesv]

YouTube questions should be asked on StackOverflow

Issue Tracker

• File a bug
• Request a feature
• See open issues

@DeannaGelbart I can't speak on behalf of the YouTube team, but if they published it, it's probably the way to go, even if the docs aren't accurate. As I mentioned above, this should be asked on StackOverflow as no one from the youtube team monitors this repository.

[DeannaGelbart]

Thanks @lesv. I should be able to figure out what to do about the commas. But can Google answer my question above about whether the current release version of this library is 1.31.0 (per Github) or 222-1.18.0-rc (per developers.google.com and the -rc suffix on published jar files)? That seems like a question for Google not the general developer community on Stack Overflow.

[DeannaGelbart]

There is a critical security advisory against the version of google-oauth-client being pulled in by 222-1.18.0-rc. Hence my question. From JFrog Xray:

Pkce support is not implemented in accordance with the rfc for oauth 2.0 for native apps. without the use of pkce, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. an attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. this affects the package com.google.oauth-client:google-oauth-client before 1.31.0.

[lesv]

The latest is either implementation 'com.google.apis:google-api-services-youtube:v3-rev20210915-1.32.1' or:

<dependency>
  <groupId>com.google.apis</groupId>
  <artifactId>google-api-services-youtube</artifactId>
  <version>v3-rev20210915-1.32.1</version>
</dependency>

[lesv]

The way to read our current version string: the v3 is the endpoint version - you'll find it in the REST documentation. The rev20210915 is the day the client was created and also when the discovery document was accessed. The 1.32.1 is the version of the client code.

We generally recommend that you use the latest.