Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

webjar dependency version need to be fixed #7730

Closed
RuralHunter opened this issue May 14, 2019 · 6 comments

Comments

@RuralHunter
Copy link

commented May 14, 2019

Issue Description

Everyday when the first time I compile my dl4j project I can see maven tries to update new versions of some webjars dependencies. The most possible reason for this is the versions of those dependencies is not fixed. This slowdowns my first compilation a lot. It's better to fix those versions.
As I can see, those dependencies are introduced by deeplearning4j-play_2.10. I can get those dependency versions need to be updated by maven command:

mvn dependency:tree -Doutput=dep.txt
[INFO] Scanning for projects...
[INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building mydl4j 1.0
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.4:tree (default-cli) @ mydl4j ---
[WARNING] The parameter output is deprecated. Use outputFile instead.
[INFO] artifact org.webjars.npm:heap: checking for updates from release
[INFO] artifact org.webjars.npm:heap: checking for updates from central
[INFO] artifact org.webjars.npm:lodash.debounce: checking for updates from release
[INFO] artifact org.webjars.npm:lodash.debounce: checking for updates from central
[INFO] artifact org.webjars.bower:cytoscape: checking for updates from release
[INFO] artifact org.webjars.bower:cytoscape: checking for updates from central
[INFO] artifact org.webjars.bower:dagre: checking for updates from release
[INFO] artifact org.webjars.bower:dagre: checking for updates from central
[INFO] artifact org.webjars.bower:graphlib: checking for updates from release
[INFO] artifact org.webjars.bower:graphlib: checking for updates from central
[INFO] artifact org.webjars.bower:lodash: checking for updates from release
[INFO] artifact org.webjars.bower:lodash: checking for updates from central
[INFO] artifact org.webjars.npm:graphlib: checking for updates from release
[INFO] artifact org.webjars.npm:graphlib: checking for updates from central
[INFO] artifact org.webjars.npm:lodash: checking for updates from release
[INFO] artifact org.webjars.npm:lodash: checking for updates from central
[INFO] artifact org.webjars.npm:webcola: checking for updates from release
[INFO] artifact org.webjars.npm:webcola: checking for updates from central
[INFO] artifact org.webjars.npm:d3-dispatch: checking for updates from release
[INFO] artifact org.webjars.npm:d3-dispatch: checking for updates from central
[INFO] artifact org.webjars.npm:d3-drag: checking for updates from release
[INFO] artifact org.webjars.npm:d3-drag: checking for updates from central
[INFO] artifact org.webjars.npm:d3-selection: checking for updates from release
[INFO] artifact org.webjars.npm:d3-selection: checking for updates from central
[INFO] artifact org.webjars.npm:d3-timer: checking for updates from release
[INFO] artifact org.webjars.npm:d3-timer: checking for updates from central
[INFO] Wrote dependency tree to: dep.txt

Version Information

dl4j 1.0.0-beta4

@AlexDBlack

This comment has been minimized.

Copy link
Contributor

commented May 14, 2019

As noted in gitter, dependency versions are fixed in our projects, so this is probably coming from webjar dependencies themselves, not our use of them.
Not sure why they would want to check for updates, but this is unnecessary IMO. We might be able to override that behavior...

@RuralHunter

This comment has been minimized.

Copy link
Author

commented May 14, 2019

yes, we can declare those dependencies with versions explicitly.

@RuralHunter

This comment has been minimized.

Copy link
Author

commented May 14, 2019

Just had a check on one example org.webjars.bower:dagre. It declares the dependencies like this:

        <dependency>
            <groupId>org.webjars.bower</groupId>
            <artifactId>graphlib</artifactId>
            <version>[1.0.5,2)</version>
        </dependency>
        
        <dependency>
            <groupId>org.webjars.bower</groupId>
            <artifactId>lodash</artifactId>
            <version>[3.10.0,4)</version>
        </dependency>
@AlexDBlack

This comment has been minimized.

Copy link
Contributor

commented May 15, 2019

@RuralHunter Thanks for taking a look. I can kind of understand why they might do that (always use latest version) but it seems risky, to me due to the risk of unexpected breakages.
My first guess is that we should be able to force transitive dependencies versions in the dependency management section of the pom.xml

@RuralHunter

This comment has been minimized.

Copy link
Author

commented May 15, 2019

yes, I put these in the pom.xml of my project and it seems to work:

    <dependencyManagement>
        <dependencies>            
            <!-- Override webjars dependencies with fixed versions -->
            <dependency>
                <groupId>org.webjars.npm</groupId>
                <artifactId>heap</artifactId>
                <version>0.2.6</version>
            </dependency>
            <dependency>
                <groupId>org.webjars.npm</groupId>
                <artifactId>lodash.debounce</artifactId>
                <version>4.0.8</version>
            </dependency>
            <dependency>
                <groupId>org.webjars.bower</groupId>
                <artifactId>lodash</artifactId>
                <version>3.10.1-amd</version>
            </dependency>
            <dependency>
                <groupId>org.webjars.bower</groupId>
                <artifactId>cytoscape</artifactId>
                <version>3.2.5</version>
            </dependency>
            <dependency>
                <groupId>org.webjars.bower</groupId>
                <artifactId>dagre</artifactId>
                <version>0.7.4</version>
            </dependency>
            <dependency>
                <groupId>org.webjars.bower</groupId>
                <artifactId>graphlib</artifactId>
                <version>1.0.7</version>
            </dependency>
            <dependency>
                <groupId>org.webjars.npm</groupId>
                <artifactId>graphlib</artifactId>
                <version>2.1.7</version>
            </dependency>
            <dependency>
                <groupId>org.webjars.npm</groupId>
                <artifactId>lodash</artifactId>
                <version>4.17.11</version>
            </dependency>
            <dependency>
                <groupId>org.webjars.npm</groupId>
                <artifactId>d3-dispatch</artifactId>
                <version>1.0.5</version>
            </dependency>
            <dependency>
                <groupId>org.webjars.npm</groupId>
                <artifactId>d3-drag</artifactId>
                <version>1.2.3</version>
            </dependency>
            <dependency>
                <groupId>org.webjars.npm</groupId>
                <artifactId>d3-selection</artifactId>
                <version>1.4.0</version>
            </dependency>
            <dependency>
                <groupId>org.webjars.npm</groupId>
                <artifactId>d3-timer</artifactId>
                <version>1.0.9</version>
            </dependency>
            <dependency>
                <groupId>org.webjars.npm</groupId>
                <artifactId>webcola</artifactId>
                <version>3.3.8</version>
            </dependency>
            <dependency>
                <groupId>org.webjars.npm</groupId>
                <artifactId>klayjs</artifactId>
                <version>0.4.1</version>
            </dependency>
            <dependency>
                <groupId>org.webjars.npm</groupId>
                <artifactId>weaverjs</artifactId>
                <version>1.2.0</version>
            </dependency>
        </dependencies>
    </dependencyManagement>

@AlexDBlack AlexDBlack self-assigned this May 28, 2019

AlexDBlack added a commit that referenced this issue May 28, 2019
AlexDBlack added a commit that referenced this issue May 28, 2019
Multiple fixes (#7793)
* #7786 SharedTrainingMaster environment variable fix

* #7785 SameDiffOutputLayer - doInit fix

* #7779 DL4J resources (pretrained models etc) URL: use https

* #7778 Remove DynamicCustomOp.sameDiffBuilder

* Revert #7779

* #7779 Use https resources address that works correctly (certificates match hostname)

* #7754 BaseNDArray.castTo - no-op if already correct type

* Handful of fixes for ND4J sessions tests

* Handful of fixes for ND4J sessions tests

* #7730 Webjars dependencies - lock down versions
@AlexDBlack

This comment has been minimized.

Copy link
Contributor

commented Jun 3, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.