deps: dependency order matters

[elharo]

@kolea2 not going to reorder these right now, but in maven dependency order is significant, and we've been taking advantage of that to fix some dependency issues. We should not promise to sort them alphabetically.

[igorbernstein2]

While true that dependency ordering matters in maven, we don't currently need to rely on dependency ordering. All relevant dependencies are specified in
https://github.com/googleapis/java-bigtable/blob/master/google-cloud-bigtable-deps-bom/pom.xml

If we run into a situation where we start depending on the order, then we can remove the current organization scheme. Alternatively, if you have a preference for a different scheme organization scheme, please let us know and we can migrate to it. But for now, I'd like to keep the long list of prod dependencies organized somehow

[elharo]

sorry, this is not that simple. This really does matter. For the BOM you cite to solve this it would have to include all your transitive dependencies, and it doesn't.

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@b40543b). Click here to learn what that means.
The diff coverage is n/a.

@@            Coverage Diff            @@
##             master     #182   +/-   ##
=========================================
  Coverage          ?   82.11%           
  Complexity        ?     1010           
=========================================
  Files             ?       99           
  Lines             ?     6089           
  Branches          ?      334           
=========================================
  Hits              ?     5000           
  Misses            ?      912           
  Partials          ?      177

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b40543b...38fe7d6. Read the comment docs.

[igorbernstein2]

Please explain

[elharo]

suppose two of your dependencies, say http-client and google-auth-library pull in different versions of Apache commons logging at the same depth. Then which one your project gets depends on whether you depend on http-client first and google-auth-library second or vice versa.

This came up in another project recently where we had to reorder dependencies to avoid pulling in an older commons-logging:

googleapis/google-http-java-client#981

Dependency order matters to Maven. Nine times out of ten any arbitrary order you pick will work, but the tenth time you're going to need to pay closer attention than that.

[igorbernstein2]

I understand that maven cares about ordering to resolve transitive dependency conflicts and that there is a difference in which version of commons-logging gets pulled in depending on the order of http-client and google-auth-library.
However is this not a problem in this project and to make sure that its not a problem in the future, I'm adding an enforcer rule: #203 that will prevent issues like googleapis/google-http-java-client#981.

This project has a lot of dependencies and we need an consistent way to keep them organized. Currently, alphabetical ordering works just fine. If it becomes an issue, we can either add a documented exception to the alphabetical organization or we can change it to another system. I'm not ok from completely removing guidance for organizing dependencies.