chore(deps): Pin AWS v1 SDK BOM to short-circuit transitive version#18619
Merged
Conversation
…ange walk amazon-kinesis-deaggregator (added in apache#18224) pulls aws-lambda-java-events 1.1.0, whose POM declares aws-java-sdk-* deps with soft ranges like [1.10.5,). Maven resolves these by walking every published patch version, producing hundreds of POM downloads per clean build. Importing aws-java-sdk-bom in dependencyManagement overrides the ranges with a single deterministic version, eliminating the walk.
voonhous
changed the title
hudi-agent
reviewed
Apr 27, 2026
Contributor
hudi-agent
left a comment
hudi-agent
left a comment
There was a problem hiding this comment.
🤖 This review was generated by an AI agent and may contain mistakes. Please verify any suggestions before applying.
Thanks for the contribution! This PR pins the AWS v1 SDK BOM in root <dependencyManagement> to short-circuit transitive soft-version-range resolution (avoiding the AWS SDK patch-version walk during clean builds). No issues flagged from this automated pass — a Hudi committer or PMC member can take it from here for a final review.
cc @yihua
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #18619 +/- ##
============================================
+ Coverage 68.03% 68.04% +0.01%
- Complexity 28906 28920 +14
============================================
Files 2518 2518
Lines 140594 140598 +4
Branches 17420 17420
============================================
+ Hits 95652 95674 +22
+ Misses 37089 37073 -16
+ Partials 7853 7851 -2
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
Collaborator
danny0405
approved these changes
Apr 29, 2026
rahil-c
pushed a commit
to rahil-c/hudi
that referenced
this pull request
Apr 29, 2026
…ange walk (apache#18619) amazon-kinesis-deaggregator (added in apache#18224) pulls aws-lambda-java-events 1.1.0, whose POM declares aws-java-sdk-* deps with soft ranges like [1.10.5,). Maven resolves these by walking every published patch version, producing hundreds of POM downloads per clean build. Importing aws-java-sdk-bom in dependencyManagement overrides the ranges with a single deterministic version, eliminating the walk.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Describe the issue this Pull Request addresses
amazon-kinesis-deaggregator:1.0.3(added in #18224) drags inaws-lambda-java-events:1.1.0, whose POM declaresaws-java-sdk-*deps as soft version ranges:Maven resolves these literally: it fetches
maven-metadata.xmlfor every affected artifact, then downloads every intermediate POM (1.11.35,1.11.36, ...1.11.49x, ...) to walk the version graph. A clean build pulls hundreds ofaws-java-sdk-s3-1.11.NNN.pomfiles just for graph traversal; the resolved jar is never on the classpath.Side effects:
hudi-utilities.Summary and Changelog
Pin
com.amazonaws:aws-java-sdk-bomin the root<dependencyManagement>. The BOM imports a fixed version for everycom.amazonaws:aws-java-sdk-*artifact, so Maven's<dependencyManagement>short-circuits the transitive ranges before the walk starts.Changes (
pom.xml):<aws.sdk.v1.version>1.12.797</aws.sdk.v1.version>next to the existing v2 SDK property. Version chosen to match the highestaws-java-sdk-corealready in the resolved graph, so this is a behavioral no-op and adopts the SDK version the build was already converging on.aws-java-sdk-bom(scopeimport, typepom) at the top of<dependencyManagement>with an inline comment explaining the rationale.Impact
mvninvocations that touchhudi-utilities(or any reactor including it) skip the AWS SDK range walk. Hundreds of POM downloads per fresh~/.m2go away.1.12.797) is what the build was already resolving to.Risk Level
low.
<scope>import</scope>only affects dependency resolution; no code change.mvn dependency:tree -pl hudi-utilities -amfinishes without the AWS SDK range-walk download flood.Documentation Update
none.
Contributor's checklist