[
https://issues.apache.org/jira/browse/BEAM-2190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15999213#comment-15999213
]
ASF GitHub Bot commented on BEAM-2190:
--------------------------------------
GitHub user dhalperi opened a pull request:
https://github.com/apache/beam/pull/2934
[BEAM-2190] pom.xml: do a better job of dependency management
Even if Beam appears to have the correct dependencies, we cannot
guarantee that modules that depend on us transitively get the right
dependencies. For example, even though grpc-protobuf-lite has
protobuf-lite excluded, and the Maven Enforcer banned-dependencies
check passes... if a user happens to get a transitive dependency on
grpc-all first, they may pull in grpc-protobuf from that other source
without the exclusion. Thus we need to exclude protobuf-lite from
grpc-all as well.
While we're here, also add guava-jdk5 to the set of banned dependencies,
though (as above) we cannot currently properly identify the places it
might be transitively exposed in a users' pom.xml.
R: @davorbonaci
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/dhalperi/beam banned-protobuf-lite
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/beam/pull/2934.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2934
----
commit 4d0c4563f8fe1fb6831d7090c12158f1155dccbd
Author: Dan Halperin <[email protected]>
Date: 2017-05-06T00:16:34Z
[BEAM-2190] pom.xml: do a better job of dependency management
Even if Beam appears to have the correct dependencies, we cannot
guarantee that modules that depend on us transitively get the right
dependencies. For example, even though grpc-protobuf-lite has
protobuf-lite excluded, and the Maven Enforcer banned-dependencies
check passes... if a user happens to get a transitive dependency on
grpc-all first, they may pull in grpc-protobuf from that other source
without the exclusion. Thus we need to exclude protobuf-lite from
grpc-all as well.
While we're here, also add guava-jdk5 to the set of banned dependencies,
though (as above) we cannot currently properly identify the places it
might be transitively exposed in a users' pom.xml.
----
> User depending on IO-GCP still gets a dependency on protobuf-lite
> -----------------------------------------------------------------
>
> Key: BEAM-2190
> URL: https://issues.apache.org/jira/browse/BEAM-2190
> Project: Beam
> Issue Type: Bug
> Components: sdk-java-gcp
> Reporter: Daniel Halperin
> Assignee: Daniel Halperin
> Fix For: First stable release
>
>
> Somehow a user with a single dependency on
> {{org.apache.beam:beam-sdks-java-io-google-cloud-platform}} gets a transitive
> dependency on {{protobuf-lite}}, despite it being banned in our build and
> excluded from {{grpc-protobuf-lite}}.
> We must need to do more work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
