Closed mdedetrich closed 1 year ago
sbt-dependenyc-submission does not submit only the runtime dependencies but also the dependencies of your build (sbt plugins) and development configurations (Test
, ScalaTools
, ScalaDocTools
). That's why your snapshot contains three dependencies to jackson-databind:
2.14.3
is coming from the Compile
dependencies.2.13.3
is coming from the ScalaDocTools
dependencies. It is a transitive dependency of scaladoc_3
.sbt:pekko> ++3.3.0
sbt:pekko> show update
...
[info] scala-doc-tool:
...
[info] com.fasterxml.jackson.core:jackson-databind:2.13.3:default
...
2.9.10
is coming from
sbt:pekko> reload plugins
sbt:pekko> show dependencyTree
...
[info] +-com.github.sbt:sbt-unidoc:0.5.0
[info] +-com.hpe.sbt:sbt-pull-request-validator:1.0.0
[info] | +-org.kohsuke:github-api:1.93
[info] | +-com.fasterxml.jackson.core:jackson-databind:2.9.2
...
You should be able to fix the dependabot alert by adding libraryDependency += "com.fasterxml.jackson.core:jackson-databind:2.14.3"
in your project/plugins.sbt
.
As a side note, if you want to ignore the dependencies coming from some configurations you can use the configs-ignore input.
There is no way currently to ignore the dependencies of the build itself though.
sbt-dependenyc-submission does not submit only the runtime dependencies but also the dependencies of your build (sbt plugins) and development configurations (Test, ScalaTools, ScalaDocTools). That's why your snapshot contains three dependencies to jackson-databind
Oh wow, I didn't realize it also grabbed dependencies from sbt plugin itself, I though it was just grabbing dependencies from runtime/compile. Thanks for letting me know, I presume to filter out sbt-plugin dependencies one would use scala-tool
and scala-doc-tool
?
Thanks for letting me know, I presume to filter out sbt-plugin dependencies one would use scala-tool and scala-doc-tool?
scala-tool
contains the compiler and its dependencies
scala-doc-tool
contains scaladoc and its dependencies
The sbt-plugin dependencies are the compile dependencies of the meta-build. There is no way currently to ignore dependencies for the meta-build.
Actually I am wrong: we don't include the meta-build dependencies in the snapshot.
The jackson-databind:2.9.8
comes from the Test
dependencies of actor-tests
, coordination
and discovery
:
pekko > show actor-tests/Test/dependencyTree
[info] org.apache.pekko:pekko-actor-tests_2.13:0.0.0+26699-495dc110+20230612-1344-SNA..
...
[info] +-com.spotify:docker-client:8.16.0
...
[info] | +-org.glassfish.jersey.media:jersey-media-json-jackson:2.22.2
...
[info] | | +-com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.9.8
...
[info] | | | +-com.fasterxml.jackson.core:jackson-databind:2.9.8
...
[info] | | +-com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:2.9.8
...
[info] | | | +-com.fasterxml.jackson.core:jackson-databind:2.9.8
...
You should be able to override this dependency in your build. Or you can ignore some projects/configs with the modules-ignore or configs-ignore inputs.
Thanks for the help, found the root culprit https://github.com/spotify/docker-client
At Pekko we have added sbt-dependency-submission to our project (see https://github.com/apache/incubator-pekko/pull/366) however we are getting an interesting/odd bug where although the plugin is submitting the dependencies, the version of sbt dependencies appear to be off?
Incase you can't see the dependabot alerts, here is an example
The thing is, the project is currently using Jackson 2.14.3 (see https://github.com/apache/incubator-pekko/blob/main/project/Dependencies.scala#L37-L38) and if you checkout the project and run
libraryDependencies
in the sbt shellYou can see that all of the jackson versions are being resolved to
2.14.3