Transitive dependency on jackson-databind pulls in -SNAPSHOT #77
Comments
rocketraman
changed the title
|
The issue with a simple dependency such as As far as your particular issue, in my testing, Maven appears to prefer the nearest version as long as that version is in the range specified by |
|
I see your point, but its very unusual for a library to set a dependency version this way. As a library author -- especially one that's not a core system library -- its not very nice force things your way when by doing so you're just moving the errors from your code to someone else's code. And you can't expect to cater your version declarations to work correctly with every build system that every project may use, and in every combination with every other transitive dependency. I believe this is just a general transitive dependency resolution complexity that every competent developer has to deal with, since the lack of uptake on versioned module systems like OSGi prevented a comprehensive solution to versioning hell... Specifying which specific version you prefer and leaving it at that is following the principle of least surprise, as that is what pretty much every library author does [1]. And every consumer of your library has to be aware of the dependencies you pull in, and whether there are any conflicts in their projects -- both maven and gradle offer all the necessary tools to do this. IMO, you should document your version requirements front and center and leave it at that. Though you do have some additional options:
[1] In my current project, I have literally 7 other libraries that pull in jackson-databind, and maxmind is the only one that defines the version this way. |
|
In addition: defining a version range makes builds non-repeatable. In my case, the same build that worked last week failed this week, I suspect because the first release of jackson 2.9.0-SNAPSHOT caused the dependency graph of my build to change, because of the way the maxmind dep is declared. At least if you specified a specific version, it might not prevent issues like the ones you referenced, but at least people's builds are repeatable! |
|
Version ranges are a standard part of Maven. Setting a minimum version when there is a hard minimum version seems completely appropriate. We went from several reports of issues per week without the minimum version to one issue in 6+ months with it. I agree that given Maven's poor dependency resolution algorithm, the version range is suboptimal, but both (1) and (2) would likely incur high support overhead for us and even more confusion for most users of the library. As I mentioned, Maven 3.3.9, at least, does consistently pull in the nearest declared version within the version range for me. As Perhaps you could provide a test case that reproduces the issue of the snapshot release being pulled in when you use |
|
Sure, all I have to do is pull in maxmind with a snapshots repo enabled, and nothing else:
Dependency analysis ( Gradle defaults to the highest version of the transitive deps if not specified as a primary dep. This isn't limited to You could define your range as |
|
Version ranges are indeed part of maven. That doesn't mean they should be used everywhere -- there is a reason they aren't. Fundamentally they make builds unrepeatable -- the version chosen depends on changes external to the build -- and that is ok in some limited use cases, but not usually ok. |
|
From the above comment, this appears to be a Gradle-specific issue rather than a Maven issue. It is not making builds with Maven fundamentally unrepeatable as mentioned above. I'll take a look at Gradle to see if there is something we can do to stop this behavior. |
|
@oschwald I think that's only because maven by default doesn't pull in snapshots. Once jackson 2.9.0 gets released, I suspect you'll have the same issue with maven too. If the jackson dep on geomind happens to be nearest to the top of the dependency tree in people's builds, their build will change to pull in 2.9.0. |
|
@rocketraman, I don't think that is the case. Maven will use the nearest declared dependency if it is in the range specified. Notice how it is pulling in |
|
You're right, I was partially mistaken. The sample build above pulls in 2.8.2 because geoip2-java declares it, and as you say that's "nearer" the top of the dependency tree. But what if someone depended on geoip2-db directly, for some reason? In that case geoip2-db could be "nearer" the top of the tree. For example, this build pulls in results in this tree: even though jjwt wants jackson-databind 2.8.2 (http://search.maven.org/#artifactdetails%7Cio.jsonwebtoken%7Cjjwt%7C0.7.0%7Cjar) |
|
I agree that someone depending on |
|
You're relying on very specific configuration of your project(s), along with very specific behavior of very specific build systems here, by specifying a range. I still don't think its a good idea, when you have other options like runtime checks, and so forth. However, in any case, I've raised an issue with the gradle team here: gradle/gradle#759. I know the workaround in gradle to force the dep version is simple, but I don't like that some random library can take my repeatable build and make it unrepeatable by default because they've catered to a maven-style dep resolution, and hopefully the gradle guys can think of a good solution to that. |
|
Looks like this issue happened for us this morning out of the blue. We're using maven and declaring a simple dependency to geoip2 2.7.0 Our pom dependencies haven't changed in a while (few months) so this came as a big surprise as to why this was suddenly happening. I haven't got much expertise with maven so I'm not sure what the root cause of the issue is but we've fixed it by excluding jackson explicitly and forcing our own version: |
|
+1 affected us as well. Will try the solution by @ben-bourdin451 - thanks! |
|
+1 also an issue for us. Would love to see it fixed here. |
|
Solution by @ben-bourdin451 worked, here is our full solution in Would be great if it is fixed here directly. |
|
+1 Unpleasant surprise this morning. Would love to see a fix. |
|
The issue this morning is somewhat unrelated to the original Gradle issue, but we have stopped using version ranges, at least temporarily due to it. |
|
|
|
Thanks @oschwald, apologies if this wasn't related to original issue. I can confirm the new version resolved this morning's problems |
|
@oschwald When will |
|
@tholu, it was released on oss.sonatype.org ~15 minutes ago. I don't know the exact syncing schedule, but I would suspect it should be on most mirrors in a couple of hours. |
I wouldn't say its unrelated at all -- if you read my comments above, I provided fair warning that using version ranges in the manner they were being used was not a good idea, regardless of build system. I'm glad you've come to that realization finally. :-) |
|
@rocketraman, your issue was specific to Gradle and only tangentially related to this issue. I do expect an onslaught of new reports of people experiencing issues due to their |
It was specific to Gradle, but I specifically stated you would in the future run into issues with Maven as well. I'm not going to argue it -- I'll let the previous record, and the current situation, speak for itself. |
|
My company also had unpleasant surprise from yesterday, when our build started failing because it tries to fetch SNAPSHOT libraries dependencies that do not exist. We managed to resolve it by excluding jackson-databind dependency from MaxMind library, but please do consider removing open version range from maxmind-db library for good (not just temporarily). Ranges make more problems than they solve, especially when used in libraries that are used by many other projects. |
|
Hello, I actually sent customer service a problem with your new build. It seems to be missing a package that's trying to get a jackson method. I've been using your service for two years and nothing has failed except for the 2.8.1 release. This is what I sent: I think I found the error in why this method is not showing up: java -cp ~/bod-ip-locate-1.0.jar com.bod.ipGeolocator.ipMainIPOnly I blew up the geoip2-2.8.1.jar: jar -tvf ~/geoip2-2.8.1.jar and I did not see package called: com.maxmind.db and I think that’s why it’s giving me a no method error it’s looking for a package with a method in it that does not exist. Please confirm this with your engineers. 465 Wed Feb 22 07:58:22 PST 2017 META-INF/MANIFEST.MF |
|
@gbartolomebb, it sounds like you are pulling in an old version pre-2.7.0 of |
|
Thanks my pom.xml explicitly references the current Jackson core build (2.8.7), geoip2-2.8.1.jar is missing a package folder called db. It's trying to access a method in a class com.maxmind.db.Decoder.decodeArray from Jackson that doesn't exist: com.maxmind.db does not exist: pom dependencies: |
|
That constructor exists in 2.8.7. See here for the call on our side. If you can create a self-contained test project to exhibit your issue, I would be happy to look into it further. However, given the above and that I can successfully use |
|
Thanks now that you pointed me out to your code I saw that Jackson was a dependency of the MaxMind Reader DB once I added an explicit dependency on:
<dependency>
<groupId>com.maxmind.db</groupId>
<artifactId>maxmind-db</artifactId>
<version>1.2.1</version>
</dependency>
It worked. Odd I didn’t have to do that with 2.8.0
Best,
|
|
Nearing a build release, I think this would a rather of a big surprise to see all your "production" ready builds failing. We have multiple of our projects depending on it and all of them do depend on "maxmind-db" . I'd had to explicitly remove the dependency of |
The transitive dependency on
com.maxmind.db:maxmind-dbcontains an open-ended version clause forjackson-databind:[2.7.0,). This causes gradle to pull in the 2.9.0-SNAPSHOT of jackson-databind into the project.This of course is a big problem -- the runtime now fails when the rest of the project uses a 2.8 release version of jackson.
I'm not sure why this has caused problems in our builds only recently because AFAICT this is not a new thing in maxmind-db. Still, it would be better if maxmind-db declared the version dependency explicitly instead of giving an open-ended range, which I think is the issue.
The text was updated successfully, but these errors were encountered: