search

vaadin / flow

Vaadin Flow is a Java framework binding Vaadin web components to Java. This is part of Vaadin 10+.
Apache License 2.0
618 stars 167 forks source link

Missing dependency in 24.2.5 for upload component. #18235

Open jflamy opened 10 months ago

jflamy commented 10 months ago

Description of the bug

See bug report #18104

When springboot is NOT used, a dependency to commons-io 2.14 or more recent is required for the upload component to work. This dependency does not appear to be listed in the inherited BOM.

If the dependency is missing the uploads fail with "server error" but no message or exception is thrown.

Expected behavior

There should be no need to add this dependency.

Minimal reproducible example

See bug report #18104

Versions

knoobie commented 10 months ago

commons-io is listed as direct dependency in the flow project https://github.com/vaadin/flow/blob/8c73772e6b5a568b4b9bf9d071628d24835cd91b/flow-server/pom.xml#L86-L89

If you configure commons-io in your project directly it gets precedence over the one defined as transitive dependency. You can learn more about Maven's dependency resolution here: https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html

TL;DR: If you define the dependency directly, it takes precedence and it's your job to resolve it accordingly and check if you are using old / mismatching libraries.

jflamy commented 10 months ago

I would think an explicit version number would be warranted. If I don't force one myself, I end up with version 2.11 from the vaadin dev server image

knoobie commented 10 months ago

It's recommended to exclude Vaadin Dev (Server) from production: https://vaadin.com/docs/latest/production/production-build#excluding-development-server-module

But yes, this still looks odd and should be fixed by either removing the non-versioned declaration or add a explicit version.

mcollovati commented 10 months ago

On the flow starter project, with Vaadin 24.2.5, I can see version 2.13.0 is used (the one used in Flow)

[INFO] com.example:project-base:war:1.0-SNAPSHOT
[INFO] \- com.vaadin:vaadin-core:jar:24.2.5:compile
[INFO]    +- com.vaadin:vaadin-core-internal:jar:24.2.5:compile
[INFO]    |  \- com.vaadin:flow-server:jar:24.2.4:compile
[INFO]    |     +- org.apache.commons:commons-fileupload2-jakarta:jar:2.0.0-M1:compile
[INFO]    |     |  +- org.apache.commons:commons-fileupload2-core:jar:2.0.0-M1:compile
[INFO]    |     |  |  \- (commons-io:commons-io:jar:2.13.0:compile - omitted for duplicate)
[INFO]    |     |  \- (commons-io:commons-io:jar:2.13.0:compile - omitted for duplicate)
[INFO]    |     \- commons-io:commons-io:jar:2.13.0:compile
[INFO]    \- com.vaadin:vaadin-dev:jar:24.2.5:compile
[INFO]       \- com.vaadin:vaadin-dev-server:jar:24.2.4:compile
[INFO]          \- com.vaadin:open:jar:8.5.0:compile
[INFO]             \- (commons-io:commons-io:jar:2.11.0:compile - omitted for conflict with 2.13.0)
jflamy commented 10 months ago

I have not done the full autopsy. Mu project is not derived from a recent starter (it dates back to 2019). I do not use springboot, and I run from an embedded jetty, not from a war ("started" should support a lightweight all-in-one-jar, that's another issue).

The relevant parts I have spotted are below -- I have not had to look at them recently (like, never), so they may be redundant or otherwise broken. But they worked until 24.2.

                   <dependencyManagement>
            <dependency>
                <groupId>com.vaadin</groupId>
                <artifactId>vaadin-bom</artifactId>
                <version>${vaadin.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>

and 

    <dependencies>
        <dependency>
            <groupId>com.vaadin</groupId>
            <artifactId>flow-server</artifactId>
        </dependency>
        <dependency>
            <groupId>com.vaadin</groupId>
            <artifactId>flow-client</artifactId>
        </dependency>
        <dependency>
            <groupId>com.vaadin</groupId>
            <artifactId>flow-push</artifactId>
        </dependency>
        <dependency>
            <groupId>com.vaadin</groupId>
            <artifactId>flow-html-components</artifactId>
        </dependency>
    </dependencies>
mcollovati commented 10 months ago

Running mvn dependency:tree -Dverbose -Dincludes=commons-io:commons-io may help in detecting who is bringing in the dependency

jflamy commented 10 months ago

See above. The picture is from the eclipse IDE doing the dependency tree filtering on commons-io. The dev server brings it -- I need uploads to work in dev mode, so I have to leave it in my pom.

mcollovati commented 10 months ago

I noticed it, but in my case flow-server wins, and I can't see the reason why in your case it vaadin-dev-server should win. And in your pom you also have a direct dependency to flow-server, that should make it have even higher priority. And I am a bit biased, not trusting IDE representations of dependency resolution :)

jflamy commented 10 months ago 
[INFO] app.owlcms:owlcms:jar:44.6.1-rc01
[INFO] +- com.vaadin:vaadin-core:jar:24.2.5:compile
[INFO] |  \- com.vaadin:vaadin-dev:jar:24.2.5:compile
[INFO] |     \- com.vaadin:vaadin-dev-server:jar:24.2.4:compile
[INFO] |        \- com.vaadin:open:jar:8.5.0:compile
[INFO] |           \- (commons-io:commons-io:jar:2.11.0:compile - omitted for conflict with 2.13.0)
[INFO] \- commons-io:commons-io:jar:2.14.0:compile

Interesting that 2.13 is shown here but not in the IDE.
Oh well.

mshabarov commented 10 months ago

I believe we should update the commons-io version in our dependency here https://github.com/vaadin/open/blob/d0c82d85bbd99074997bb7a8e02d664ac27b8f3d/pom.xml#L26C38-L26C38. Or make it provided to not raise a conflicts.

rucko24 commented 3 months ago

https://github.com/vaadin/flow/issues/17872#issuecomment-2226107463 works with commons.io 2.14.0 for me.