-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deps: dependency order matters #182
Conversation
@kolea2 not going to reorder these right now, but in maven dependency order is significant, and we've been taking advantage of that to fix some dependency issues. We should not promise to sort them alphabetically.
While true that dependency ordering matters in maven, we don't currently need to rely on dependency ordering. All relevant dependencies are specified in If we run into a situation where we start depending on the order, then we can remove the current organization scheme. Alternatively, if you have a preference for a different scheme organization scheme, please let us know and we can migrate to it. But for now, I'd like to keep the long list of prod dependencies organized somehow |
sorry, this is not that simple. This really does matter. For the BOM you cite to solve this it would have to include all your transitive dependencies, and it doesn't. |
Codecov Report
@@ Coverage Diff @@
## master #182 +/- ##
=========================================
Coverage ? 82.11%
Complexity ? 1010
=========================================
Files ? 99
Lines ? 6089
Branches ? 334
=========================================
Hits ? 5000
Misses ? 912
Partials ? 177 Continue to review full report at Codecov.
|
Please explain |
suppose two of your dependencies, say http-client and google-auth-library pull in different versions of Apache commons logging at the same depth. Then which one your project gets depends on whether you depend on http-client first and google-auth-library second or vice versa. This came up in another project recently where we had to reorder dependencies to avoid pulling in an older commons-logging: googleapis/google-http-java-client#981 Dependency order matters to Maven. Nine times out of ten any arbitrary order you pick will work, but the tenth time you're going to need to pay closer attention than that. |
I understand that maven cares about ordering to resolve transitive dependency conflicts and that there is a difference in which version of commons-logging gets pulled in depending on the order of http-client and google-auth-library. This project has a lot of dependencies and we need an consistent way to keep them organized. Currently, alphabetical ordering works just fine. If it becomes an issue, we can either add a documented exception to the alphabetical organization or we can change it to another system. I'm not ok from completely removing guidance for organizing dependencies. |
@kolea2 not going to reorder these right now, but in maven dependency order is significant, and we've been taking advantage of that to fix some dependency issues. We should not promise to sort them alphabetically.