Open jflamy opened 10 months ago
commons-io is listed as direct dependency in the flow project https://github.com/vaadin/flow/blob/8c73772e6b5a568b4b9bf9d071628d24835cd91b/flow-server/pom.xml#L86-L89
If you configure commons-io in your project directly it gets precedence over the one defined as transitive dependency. You can learn more about Maven's dependency resolution here: https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html
TL;DR: If you define the dependency directly, it takes precedence and it's your job to resolve it accordingly and check if you are using old / mismatching libraries.
I would think an explicit version number would be warranted. If I don't force one myself, I end up with version 2.11 from the vaadin dev server
It's recommended to exclude Vaadin Dev (Server) from production: https://vaadin.com/docs/latest/production/production-build#excluding-development-server-module
But yes, this still looks odd and should be fixed by either removing the non-versioned declaration or add a explicit version.
On the flow starter project, with Vaadin 24.2.5, I can see version 2.13.0 is used (the one used in Flow)
[INFO] com.example:project-base:war:1.0-SNAPSHOT
[INFO] \- com.vaadin:vaadin-core:jar:24.2.5:compile
[INFO] +- com.vaadin:vaadin-core-internal:jar:24.2.5:compile
[INFO] | \- com.vaadin:flow-server:jar:24.2.4:compile
[INFO] | +- org.apache.commons:commons-fileupload2-jakarta:jar:2.0.0-M1:compile
[INFO] | | +- org.apache.commons:commons-fileupload2-core:jar:2.0.0-M1:compile
[INFO] | | | \- (commons-io:commons-io:jar:2.13.0:compile - omitted for duplicate)
[INFO] | | \- (commons-io:commons-io:jar:2.13.0:compile - omitted for duplicate)
[INFO] | \- commons-io:commons-io:jar:2.13.0:compile
[INFO] \- com.vaadin:vaadin-dev:jar:24.2.5:compile
[INFO] \- com.vaadin:vaadin-dev-server:jar:24.2.4:compile
[INFO] \- com.vaadin:open:jar:8.5.0:compile
[INFO] \- (commons-io:commons-io:jar:2.11.0:compile - omitted for conflict with 2.13.0)
I have not done the full autopsy. Mu project is not derived from a recent starter (it dates back to 2019). I do not use springboot, and I run from an embedded jetty, not from a war ("started" should support a lightweight all-in-one-jar, that's another issue).
The relevant parts I have spotted are below -- I have not had to look at them recently (like, never), so they may be redundant or otherwise broken. But they worked until 24.2.
<dependencyManagement>
<dependency>
<groupId>com.vaadin</groupId>
<artifactId>vaadin-bom</artifactId>
<version>${vaadin.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
and
<dependencies>
<dependency>
<groupId>com.vaadin</groupId>
<artifactId>flow-server</artifactId>
</dependency>
<dependency>
<groupId>com.vaadin</groupId>
<artifactId>flow-client</artifactId>
</dependency>
<dependency>
<groupId>com.vaadin</groupId>
<artifactId>flow-push</artifactId>
</dependency>
<dependency>
<groupId>com.vaadin</groupId>
<artifactId>flow-html-components</artifactId>
</dependency>
</dependencies>
Running mvn dependency:tree -Dverbose -Dincludes=commons-io:commons-io
may help in detecting who is bringing in the dependency
See above. The picture is from the eclipse IDE doing the dependency tree filtering on commons-io. The dev server brings it -- I need uploads to work in dev mode, so I have to leave it in my pom.
I noticed it, but in my case flow-server wins, and I can't see the reason why in your case it vaadin-dev-server should win. And in your pom you also have a direct dependency to flow-server, that should make it have even higher priority. And I am a bit biased, not trusting IDE representations of dependency resolution :)
[INFO] app.owlcms:owlcms:jar:44.6.1-rc01
[INFO] +- com.vaadin:vaadin-core:jar:24.2.5:compile
[INFO] | \- com.vaadin:vaadin-dev:jar:24.2.5:compile
[INFO] | \- com.vaadin:vaadin-dev-server:jar:24.2.4:compile
[INFO] | \- com.vaadin:open:jar:8.5.0:compile
[INFO] | \- (commons-io:commons-io:jar:2.11.0:compile - omitted for conflict with 2.13.0)
[INFO] \- commons-io:commons-io:jar:2.14.0:compile
Interesting that 2.13 is shown here but not in the IDE.
Oh well.
I believe we should update the commons-io
version in our dependency here https://github.com/vaadin/open/blob/d0c82d85bbd99074997bb7a8e02d664ac27b8f3d/pom.xml#L26C38-L26C38. Or make it provided
to not raise a conflicts.
https://github.com/vaadin/flow/issues/17872#issuecomment-2226107463 works with commons.io 2.14.0
for me.
Description of the bug
See bug report #18104
When springboot is NOT used, a dependency to commons-io 2.14 or more recent is required for the upload component to work. This dependency does not appear to be listed in the inherited BOM.
If the dependency is missing the uploads fail with "server error" but no message or exception is thrown.
Expected behavior
There should be no need to add this dependency.
Minimal reproducible example
See bug report #18104
Versions