-
Notifications
You must be signed in to change notification settings - Fork 241
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User defined artifacts get overridden by transitive dependencies #107
Comments
Unless I'm missing something, this particular configuration brings in guava 27.1-jre?
|
Ugh, I should have mentioned that this is a dummy example, not a real one 👎 It was just there to illustrate the problem! |
It seems the resolution is using the |
Yes, I believe that's the default for the Coursier CLI. The CLI supports the
I think we can thread this information into the rule using a new attribute in the |
@jin I was going to propose using that, but on a higher level as it is a flag that applies globally (all dependencies that are going to be fetched). So it would be something like:
What do you think? Should be a simple change to make! I can take it if you approve! |
I like that. I think we can map this API design from bazel-dep's versionConflictPolicy option as well: https://github.com/johnynek/bazel-deps#options
@dkelmer what do you think about this? |
Does this scheme you guys are talking about still allow for the situation where you want most things to be done with I've had that situation come up, and would advocate for an approach that maintains that as an option. |
@davidsantiago I don't think the |
To make it more concrete, here are examples of the current and intended behavior.
|
Hm, yeah. I guess this still doesn't make sense to me, but I think it's all really driven by what coursier lets you do anyways, and I'll definitely admit I'm new to it since rules_jvm_external. I feel like I must be confused. What doesn't make sense to me is that there are several things I could mean when I specify "com.google.guava:guava:25.0-android". I could mean, on the one hand, "I want at least this version, and you can upgrade to a later one that is semver compatible if needed." On the other hand, I could mean "I want exactly this version." So then it seems like there's no way to have it be the case that most of the time you mean "at least this version," and only sometimes "exactly this version." But "at least this version except when I say to make it actually that version" seems like a reasonable situation to have arise. But as I said, if coursier can't handle this combination of constraints, then there's nothing to be done here anyways. |
* Implement version_conflict_policy to pin user's artifact versions This commit implements `maven_install`'s `version_conflict_policy` attribute as described by @jin's comments ([1] and [2]). `version_conflict_policy = "pinned"` translates to Coursier's `-V group:artifact:version` for all requested artifacts. The default of "default" is a no-op. [1]: #107 (comment) [2]: #107 (comment) Resolves #107. Testing Done: - added new test case to //tests/unit/build_tests * fixup! Implement version_conflict_policy to pin user's artifact versions * fixup! Implement version_conflict_policy to pin user's artifact versions * fixup! Implement version_conflict_policy to pin user's artifact versions
If a user explicitly references a dependency, we should use that version and not ones brought through transitive dependencies. Basically, prioritize user defined dependencies over anything else. For example:
Should result in a dependency tree that contains
com.google.guava:guava:27.1-jre
, and not the one brought bycom.google.cloud:google-cloud-storage:1.66.0
.The text was updated successfully, but these errors were encountered: