emersonloureiro
commented
6 years ago Hi there. I'm not sure I understand, but there's no explicit dependency to S3Proxy in sbt-s3. If it depends on it, it's being pulled as a transitive dependency.
SBT does allow overriding a sub-dependency. When doing this, you'll be overriding because potentially a newer version is brought into the classpath transitively but it's not backwards compatible to the explicit version you're depending on, and so it'll crash at runtime. But then again, it's not the case here, so maybe I just didn't understand your point.
gaul
Why sbt-s3 allows configuring S3Proxy versions? It downloads these at run-time instead of packaging them as a dependency, resisting outside analyses. As the author of S3Proxy I encourage users to use the latest versions and wanted to see if there was some blocker for this.
Does sbt not allow overriding a subdependency? It seems like you can do this at compile-time via excludes or forces:
http://www.scala-sbt.org/1.x/docs/Library-Management.html