Some dependencies in /core module are in the wrong scope.

[HappyHacker123]

Description

The following dependencies in /core are set to scope implementation, but the expected scope should api.

org.bouncycastle:bcprov-jdk15on 
com.google.guava:guava:32.1.3-jre 
io.netty:netty-transport-native-unix-common

According to gradle offcial doc, if a library contains classes that are exposed in the library binary interface, its dependency scope should be api. The above depedencies all contain classes exposed in binary interface as offical doc goes, I list one example of each dependency below.

• Class AsymmetricKeyInfoConverter is used as public method parameter in core/src/main/java/com/linecorp/armeria/internal/common/util/MinifiedBouncyCastleProvider.java
• Class io.netty.channel.unix.DomainSocketAddress is used as public method parameter in core/src/main/java/com/linecorp/armeria/common/util/DomainSocketAddress.java
• Class ForwardingSet is extended in core/src/main/java/com/linecorp/armeria/common/DefaultCookies.java

Possible Outcome

This can lead to compilation failures in consumers, as mentioned in offical doc.

This keeps the dependencies off of the consumer’s compilation classpath. In addition, the consumers will immediately fail to compile if any implementation types accidentally leak into the public API.

Solution

Change the dependency scope from implementation to api.

[HappyHacker123]

Could you help me review this issue @ikhoon @minwoox ? Many thanks :)

[ikhoon]

Class io.netty.channel.unix.DomainSocketAddress is used as public method parameter in core/src/main/java/com/linecorp/armeria/common/util/DomainSocketAddress.java

Good point. We need to fix it.

Class AsymmetricKeyInfoConverter is used as public method parameter in core/src/main/java/com/linecorp/armeria/internal/common/util/MinifiedBouncyCastleProvider.java

bouncycastle is shaded so it is not part of transitive dependencies and can't be api.
We may remove ConfigurableProvider from the super class or move MinifiedBouncyCastleProvider to internal.

Class ForwardingSet is extended in core/src/main/java/com/linecorp/armeria/common/DefaultCookies.java

DefaultCookies is a package private class so ForwardingSet doesn't have to be api.

[HappyHacker123]

@ikhoon Thanks a lot for your prompt response and clarification!

DefaultCookies is a package private class so ForwardingSet doesn't have to be api.

You're right, I'm sorry to give a wrong example. But here's another example regarding exposed classses in guava. Could you please take a look?

• com.google.common.collect.ImmutableList.Builder in guava is used as public method parameter in core/src/main/java/com/linecorp/armeria/internal/common/metric/DefaultMeterIdPrefixFunction.java

Acually we found another dependency com.github.ben-manes.caffeine:caffeine whose scope may also need to be set to api due to the following usage.

• com.github.benmanes.caffeine.cache.Cache in caffeine is used as public parameter in core/src/main/java/com/linecorp/armeria/internal/common/metric/CaffeineMetricSupport.java

[ikhoon]

Good question.

com.google.common.collect.ImmutableList.Builder in guava is used as public method parameter in

Though they have public visibility, classes under internal packages are internal classes.

armeria/core/src/main/java/com/linecorp/armeria/internal/common/metric/package-info.java

Line 18 in a13d582

* Various classes used internally. Anything in this package can be changed or removed at any time.

In addition to Bouncycastle, we also shadow Guava dependency. If it is exposed in the public API, we should fix it instead of making it api.

armeria/dependencies.toml

Lines 524 to 525 in a13d582

	relocations = [
	{ from = "com.google.common", to = "com.linecorp.armeria.internal.shaded.guava" },

[HappyHacker123]

@ikhoon Thank you for your response :). I now have a thorough understanding of the situation, and the problem should be fixed according to armeria's actual implementation. Hope to hear it fixed soon :).