search

spring-cloud / spring-cloud-kubernetes

Kubernetes integration with Spring Cloud Discovery Client, Configuration, etc...
Apache License 2.0
3.46k stars 1.03k forks source link

spring-cloud-kubernetes-client-config: dependency convergence #943

Closed tpokki closed 2 years ago

tpokki commented 2 years ago

Describe the bug Version: 2.1.0 Bug: Dependency convergence

The mvn enforcer:enforce -Drules=dependencyConvergence fails on spring-cloud-kubernetes-client-config.

The problematic ones are commons-collections4 and bcpkix-jdk15on as they are inherited to any project that includes the spring-cloud-kubernetes-client-config. Other conflicts are with dependencies from test scope, and therefore less relevant for those using this library.

Sample


$ git checkout v2.1.0
$ cd spring-cloud-kubernetes-client-config/
$ mvn enforcer:enforce -Drules=dependencyConvergence

...

[INFO] --- maven-enforcer-plugin:3.0.0-M3:enforce (default-cli) @ spring-cloud-kubernetes-client-config ---
[WARNING]
Dependency convergence error for org.checkerframework:checker-qual:3.10.0 paths to dependency are:
+-org.springframework.cloud:spring-cloud-kubernetes-client-config:2.1.0
  +-io.kubernetes:client-java-extended:13.0.0
    +-com.github.ben-manes.caffeine:caffeine:2.9.2
      +-org.checkerframework:checker-qual:3.10.0
and
+-org.springframework.cloud:spring-cloud-kubernetes-client-config:2.1.0
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-com.google.guava:guava:27.0.1-jre
      +-org.checkerframework:checker-qual:2.5.2

[WARNING]
Dependency convergence error for org.ow2.asm:asm:9.1 paths to dependency are:
+-org.springframework.cloud:spring-cloud-kubernetes-client-config:2.1.0
  +-org.springframework.boot:spring-boot-starter-test:2.6.1
    +-com.jayway.jsonpath:json-path:2.6.0
      +-net.minidev:json-smart:2.4.7
        +-net.minidev:accessors-smart:2.4.7
          +-org.ow2.asm:asm:9.1
and
+-org.springframework.cloud:spring-cloud-kubernetes-client-config:2.1.0
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-org.ow2.asm:asm:7.0

[WARNING]
Dependency convergence error for org.apache.commons:commons-collections4:4.4 paths to dependency are:
+-org.springframework.cloud:spring-cloud-kubernetes-client-config:2.1.0
  +-io.kubernetes:client-java:13.0.0
    +-org.apache.commons:commons-collections4:4.4
and
+-org.springframework.cloud:spring-cloud-kubernetes-client-config:2.1.0
  +-io.kubernetes:client-java-extended:13.0.0
    +-com.flipkart.zjsonpatch:zjsonpatch:0.4.11
      +-org.apache.commons:commons-collections4:4.2

[WARNING]
Dependency convergence error for org.bouncycastle:bcpkix-jdk15on:1.69 paths to dependency are:
+-org.springframework.cloud:spring-cloud-kubernetes-client-config:2.1.0
  +-io.kubernetes:client-java:13.0.0
    +-org.bouncycastle:bcpkix-jdk15on:1.69
and
+-org.springframework.cloud:spring-cloud-kubernetes-client-config:2.1.0
  +-org.springframework.security:spring-security-rsa:1.0.10.RELEASE
    +-org.bouncycastle:bcpkix-jdk15on:1.68

[WARNING]
Dependency convergence error for org.opentest4j:opentest4j:1.2.0 paths to dependency are:
+-org.springframework.cloud:spring-cloud-kubernetes-client-config:2.1.0
  +-org.springframework.boot:spring-boot-starter-test:2.6.1
    +-org.junit.jupiter:junit-jupiter:5.8.1
      +-org.junit.jupiter:junit-jupiter-api:5.8.1
        +-org.opentest4j:opentest4j:1.2.0
and
+-org.springframework.cloud:spring-cloud-kubernetes-client-config:2.1.0
  +-org.springframework.cloud:spring-cloud-kubernetes-test-support:2.1.0
    +-org.junit.vintage:junit-vintage-engine:5.8.1
      +-org.junit.platform:junit-platform-engine:1.8.1
        +-org.opentest4j:opentest4j:1.2.0
and
+-org.springframework.cloud:spring-cloud-kubernetes-client-config:2.1.0
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-net.javacrumbs.json-unit:json-unit-core:2.12.0
      +-org.opentest4j:opentest4j:1.1.1

[WARNING]
Dependency convergence error for com.google.errorprone:error_prone_annotations:2.5.1 paths to dependency are:
+-org.springframework.cloud:spring-cloud-kubernetes-client-config:2.1.0
  +-io.kubernetes:client-java-extended:13.0.0
    +-com.github.ben-manes.caffeine:caffeine:2.9.2
      +-com.google.errorprone:error_prone_annotations:2.5.1
and
+-org.springframework.cloud:spring-cloud-kubernetes-client-config:2.1.0
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-com.google.guava:guava:27.0.1-jre
      +-com.google.errorprone:error_prone_annotations:2.2.0

[WARNING]
Dependency convergence error for com.flipkart.zjsonpatch:zjsonpatch:0.4.11 paths to dependency are:
+-org.springframework.cloud:spring-cloud-kubernetes-client-config:2.1.0
  +-io.kubernetes:client-java-extended:13.0.0
    +-com.flipkart.zjsonpatch:zjsonpatch:0.4.11
and
+-org.springframework.cloud:spring-cloud-kubernetes-client-config:2.1.0
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-com.flipkart.zjsonpatch:zjsonpatch:0.4.4

[WARNING]
Dependency convergence error for commons-io:commons-io:2.11.0 paths to dependency are:
+-org.springframework.cloud:spring-cloud-kubernetes-client-config:2.1.0
  +-io.kubernetes:client-java:13.0.0
    +-commons-io:commons-io:2.11.0
and
+-org.springframework.cloud:spring-cloud-kubernetes-client-config:2.1.0
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-commons-fileupload:commons-fileupload:1.4
      +-commons-io:commons-io:2.2

[WARNING] Rule 0: org.apache.maven.plugins.enforcer.DependencyConvergence failed with message:
Failed while enforcing releasability. See above detailed error message.
...
wind57 commented 2 years ago

thank you for raising this issue.

this is not the first time we deal with transitive dependencies in various reports and I don't think there is a proper and always correct way to solve this. If we were using gradle, we could enable a certain constraints project wise and enforce a "highest version wins" for example. afaik, maven does not have such a feature, but though we can handle this : read further.

Nevertheless, I really think that we should mitigate this, especially since maven takes the version that is the "closest one", which is not ideal here. Yes, currently we are indeed taking 4.4 version, but a simple alteration in pom.xml can change that. Let's see how this can be fixed.

The first one reported (commons-collections4) comes from:

and the second one comes from :

It's easy to mitigate this with an exclusion, the obvious issue is if io.kubernetes:client-java-extended and/or io.kubernetes:client-java will drop collections4 as their inner dependencies (or some transitive dependency does that).

Another scenario where things can go south for us, is if we will remove let's say io.kubernetes:client-java in some future version (that brings collections4:4.4) and in io.kubernetes:client-java-extended we will add the exclusion...

It get's more fun with every aspect :) The good news here is that collections4 has seen its latest release in 2019 in version 4.4, it surely looks like the release cycle is either very slow or seeing an end of life. The other good aspect is that we use internally either 4.2 or 4.4, in every module. This means, this dependency is a good candidate for spring-cloud-kubernetes-dependencies.

The second dependency comes from io.kubernetes:client-java and org.springframework.security:spring-security-rsa. It makes sense why io.kubernetes:client-java needs it, but I don't understand why we require org.springframework.security:spring-security-rsa. As a matter of fact, if I remove this dependency and build the project, it builds just fine. imho, we do not need it at all.

That being said here is the PR that attempts to fix these two issues. Let's see what @ryanjbaxter thinks about it.