-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow pinning transitive artifacts via new pinned_artifacts attribute #645
Allow pinning transitive artifacts via new pinned_artifacts attribute #645
Conversation
Using artifacts= + version_conflict_policy=pinned is possible to set versions of transitive artifacts but that affects visibility, required policy change and makes artifacts= bigger than it needs to be.
I thought coursier supported exact version pinning using the Please let me know if I am mistaken, and I'll do a proper review of this PR. |
It's possible to use maven_install(
artifacts = ["com.google.guava:guava:31.0.1-jre"],
version_conflict_policy = "pinned",
) But the downside is
With new attribute one can do something like this maven_install(
artifacts = ["com.google.guava:guava:31.0.1-jre", ...].
version_conflict_policy = "pinned", # or maybe use the default one
pinned_artifacts = [
# 4.1.67.Final has CVE https://github.com/advisories/GHSA-grg4-wf29-r9vv
"io.netty:netty-codec-http2:4.1.68.Final",
"io.netty:netty-codec-http:4.1.68.Final",
"io.netty:netty-codec-socks:4.1.68.Final",
"io.netty:netty-codec:4.1.68.Final",
"io.netty:netty-handler-proxy:4.1.68.Final",
"io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.68.Final",
"io.netty:netty-transport-native-kqueue:jar:osx-x86_64:4.1.68.Final",
"io.netty:netty-transport-native-unix-common:4.1.68.Final",
],
) transitive dependency version is bumped, but directly used dependencies vs transitive dependency versions lists are still separated |
I don't see how the new attribute is necessarily simpler than putting the new list of pinned_artifacts in artifacts, and using pinned version_conflict_policy? |
Mainly two reasons:
bazel query 'kind(jvm_import, @maven//... - deps(//..., 1)) intersect attr(visibility, public, @maven//...)' |
I don't think adding a new API for this makes it necessarily simpler. A new attribute is an attribute that we'd have to support ~forever. For aesthetics, it could be a project-side concatenation of lists. re: public visibility for indirect artifacts is needed, given #147 (comment)
Why can't this be an rdeps query? In general, I'm not too comfortable with adding another core attribute like this, especially if it doesn't bring significant benefit over the existing mechanisms. |
main thing that isn't possible without this PR is having will close then |
Using artifacts= + version_conflict_policy=pinned is possible to set versions
of transitive artifacts but that affects visibility, required policy change and
makes artifacts= bigger than it needs to be.