Use io.jenkins.plugins:commons-lang3-api
#2433
Conversation
viceice
changed the title
commons-lang3-api jenkins pluginio.jenkins.plugins:commons-lang3-api
|
any idea why those tests failed? |
| <groupId>com.squareup.okhttp3</groupId> | ||
| <artifactId>okhttp</artifactId> | ||
| <version>3.12.12</version> |
There was a problem hiding this comment.
Removed, as it's a transitive dep of io.jenkins.plugins:okhttp-api which should be used instead
|
@olamy The failed tests seems to be unrelated to my change. Looks like a jenkins agent issue: |
|
@olamy anything else todo here? i really need this fixed |
| <bannedDependencies> | ||
| <excludes> | ||
| <exclude>org.apache.commons:commons-lang3</exclude> | ||
| <exclude>com.squareup.okhttp3:okhttp</exclude> |
There was a problem hiding this comment.
thanks 🙏
btw: I've uninstalled blue ocean as the development was stopped.
| <rules> | ||
| <bannedDependencies> | ||
| <excludes> | ||
| <exclude>org.apache.commons:commons-lang3</exclude> |
There was a problem hiding this comment.
Why? If there are errors they should be fixed, not suppressed.
There was a problem hiding this comment.
was not my idea, was told to add that rule. 🤷♂️
There was a problem hiding this comment.
#2433 (comment) I guess? Not sure I follow.
There was a problem hiding this comment.
The idea is: we don't want to have dependency org.apache.commons:commons-lang3 here because we are now using commons-lang3-api so we ban it and if for any reason a new dependency or an upgrade of a current dependency bring it back to the dependency tree the build will fail as the dependency is now banned.
Otherwise the dependency can come back and nobody will notice that (upperBound maybe but not if it's back in the tree with the same or higher version)
There was a problem hiding this comment.
I was mixing this up with requireUpperBoundsDeps. That said, not sure I follow the logic—if we are using commons-lang3-api then it is harmless if the same artifact is available via some other dependency trail.
There was a problem hiding this comment.
the origin of the change comes from https://github.com/jenkinsci/code-coverage-api-plugin/issues/647
There was a problem hiding this comment.
Oh definitely we should be using the API wrapper plugin. I am just trying to understand the need for a bannedDependencies rule on top of that, since depending on the API wrapper plugin ought to ensure that the library JAR does not get bundled here even if it is accessible via some other dependency trail.
There was a problem hiding this comment.
you can definitely add manually a dependency to org.apache.commons:commons-lang3 (at least same version as te one coming from the wrapper api) in any pom and it will be added to the hpi. Or coming from transitive (but still with same or higher version because of upperBound.
Try this
diff --git a/blueocean-pipeline-editor/pom.xml b/blueocean-pipeline-editor/pom.xml
index 14f3c6ac7..85f43ddc1 100644
--- a/blueocean-pipeline-editor/pom.xml
+++ b/blueocean-pipeline-editor/pom.xml
@@ -73,12 +73,17 @@
<artifactId>okhttp</artifactId>
</exclusion>
<!-- commons-lang3 is provided by commons-lang3-api plugin -->
- <exclusion>
- <groupId>org.apache.commons</groupId>
- <artifactId>commons-lang3</artifactId>
- </exclusion>
+<!-- <exclusion>-->
+<!-- <groupId>org.apache.commons</groupId>-->
+<!-- <artifactId>commons-lang3</artifactId>-->
+<!-- </exclusion>-->
</exclusions>
</dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-lang3</artifactId>
+ <version>3.12.0</version>
+ </dependency>
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>ant</artifactId>
diff --git a/pom.xml b/pom.xml
index 2fd6c28dd..26507faef 100644
--- a/pom.xml
+++ b/pom.xml
@@ -764,7 +764,7 @@
<rules>
<bannedDependencies>
<excludes>
- <exclude>org.apache.commons:commons-lang3</exclude>
+ <!--exclude>org.apache.commons:commons-lang3</exclude-->
</excludes>
<searchTransitive>false</searchTransitive>
</bannedDependencies>
mvn clean install -pl :blueocean-pipeline-editor -DskipTests
➜ blueocean-plugin git:(master) ✗ unzip -l blueocean-pipeline-editor/target/blueocean-pipeline-editor.hpi|grep jar
587402 11-17-2022 09:07 WEB-INF/lib/commons-lang3-3.12.0.jar
1061316 05-09-2023 19:30 WEB-INF/lib/blueocean-pipeline-editor.jar
In this case it is same version so no problem at all but having some higher version potentially can be a problem.
not really sure how to prevent this automatically except writing some special enforcer rules to fail in such case or manually added banned dependency rule such this one.
There was a problem hiding this comment.
If you added that dependency explicitly to the plugin POM then it is not surprising it appears in the *.hpi, but do you have an example of
Or coming from transitive
? If true, there may be a bug in maven-hpi-plugin since it is supposed to be filtering out jar-packaging dependencies which are also available via some dependency trail involving another plugin.
Somewhere I proposed just forcing plugin POMs to explicitly declare a list of all jar-packaging artifactIds they intend to package, since this is such a frequent source of mistakes. I can try to dig up references and propose the change. Would be incompatible but easy to adapt to.
Description
Use
io.jenkins.plugins:commons-lang3-apiinstead oforg.apache.commons:commons-lang3.All tests still pass. I don't think this needs new tests.
I also updated these plugins to fix upper bound errors
org.apache.maven:maven-artifactorg.jenkins-ci.plugins:jiraorg.jenkins-ci.plugins:github-apiio.jenkins.plugins:okhttp-apiSubmitter checklist
Reviewer checklist