Skip to content

Fix dependency management: use specified versions #27496

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
npepinpe merged 3 commits into from
Feb 18, 2025
Merged

Fix dependency management: use specified versions #27496

npepinpe merged 3 commits into from
Feb 18, 2025

Conversation

@npepinpe
Copy link
Member

@npepinpe npepinpe commented Jan 28, 2025
edited
Loading

Description

This PR fixes an issue with our dependency management. It seems since April, we introduced spring-boot-dependencies into our parent POM. This means our project generally tries to use the same version for shared dependencies as Spring does (e.g. Netty, Awaitility, Mockito, etc.). I assume the goal was to avoid dependency convergence issues.

This was a nuclear bomb kind of solution however, because what it ended up doing is overwriting any version we later specify via other POM/IMPORT dependencies.

So take, for example, Micrometer (this is how I stumbled on it). We specify in the parent POM version 1.14.3. If you look at the mvn dependency:tree, you'll see it's pulling in 1.13.9. This is extremely confusing, and hard to pinpoint: where is this coming from? We explicitly include the micrometer-bom in our parent/pom and set the version, after all.

The trick is, since the micrometer-bom is declared after the spring-boot-dependencies, any shared dependencies are ignored. The fix is to ensure all explicit, library-specific POM/IMPORT declarations are before spring-boot-dependencies.

I personally would prefer not use spring-boot-dependencies, and having explicit declarations: it's more verbose, but much easier to know and ensure we use the right versions. It also decouples us from the choices of another company on which library versions to use.

For this PR, I didn't do this yet, I'd like to know what others think (in particular those who included it originally), and opted for just declaring our library versions higher. I also had to move the google-libraries declaration second-last, as it overwrote our Protobuf, Netty, gRPC, etc., all so-called "first party libraries" from Google.

Note that this implies we may have been shipping with different versions than we thought, but generally this should not affect CVEs as our scanner runs on the resolved tree, not the POMs themselves.

It does mean however that we may have been merging dependency updates which break things unknowingly, because the version was not even used.

@npepinpe npepinpe self-assigned this Jan 28, 2025
@github-actions github-actions bot added component/zeebe Related to the Zeebe component/team component/operate Related to the Operate component/team component/tasklist Related to the Tasklist component/team component/optimize Related to Optimize component/team labels Jan 28, 2025
@npepinpe npepinpe enabled auto-merge February 17, 2025 17:41
@npepinpe npepinpe requested a review from entangled90 February 17, 2025 17:41
@npepinpe
Copy link
Member Author

npepinpe commented Feb 17, 2025

@entangled90 - somehow I thought I requested a review, but I guess not 😄

entangled90
entangled90 approved these changes Feb 18, 2025
View reviewed changes
Copy link
Contributor

@entangled90 entangled90 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀
However we potentially have the same problems, but not from spring now.
We probably need to think how to enforce this in a more consistent way

@npepinpe npepinpe added this pull request to the merge queue Feb 18, 2025
Merged via the queue into main with commit 625407f Feb 18, 2025
85 of 87 checks passed
@npepinpe npepinpe deleted the np-fix-deps-mgmt branch February 18, 2025 09:46
@npepinpe npepinpe added backport stable/8.6 Backport a pull request to stable/8.6 backport stable/8.7 Backport a pull request to stable/8.7 labels Feb 28, 2025
@npepinpe
Copy link
Member Author

npepinpe commented Feb 28, 2025

/backport

@backport-action backport-action mentioned this pull request Feb 28, 2025
Merged
@backport-action
Copy link
Collaborator

backport-action commented Feb 28, 2025

Created backport PR for stable/8.6:

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin backport-27496-to-stable/8.6
git worktree add --checkout .worktree/backport-27496-to-stable/8.6 backport-27496-to-stable/8.6
cd .worktree/backport-27496-to-stable/8.6
git reset --hard HEAD^
git cherry-pick -x 9f505bf71ee3d7bb77d8b30a5ca7a1b5f1548aa9 6b3b5e3437098cbe219f54581f15574be370da23
git push --force-with-lease

@backport-action backport-action mentioned this pull request Feb 28, 2025
Merged
@backport-action
Copy link
Collaborator

backport-action commented Feb 28, 2025

Created backport PR for stable/8.7:

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin backport-27496-to-stable/8.7
git worktree add --checkout .worktree/backport-27496-to-stable/8.7 backport-27496-to-stable/8.7
cd .worktree/backport-27496-to-stable/8.7
git reset --hard HEAD^
git cherry-pick -x 9f505bf71ee3d7bb77d8b30a5ca7a1b5f1548aa9 6b3b5e3437098cbe219f54581f15574be370da23
git push --force-with-lease

github-merge-queue bot pushed a commit that referenced this pull request Mar 13, 2025
@npepinpe
[Backport stable/8.6] Fix dependency management: use specified versio…
a5f4207 
…ns (#28964)

# Description
Backport of #27496 to `stable/8.6`.

relates to
github-merge-queue bot pushed a commit that referenced this pull request Mar 13, 2025
@npepinpe
[Backport stable/8.7] Fix dependency management: use specified versio…
20c6e27 
…ns (#28965)

# Description
Backport of #27496 to `stable/8.7`.

Reasoning for bumping up `micrometer` dependency:

- This backport fixes io.micrometer:`micrometer-registry-otlp to 1.13.6`
- In `stable/8.7` we have `springboot` provided version
`io.micrometer:micrometer-registry-otlp:jar:1.14.4:test`

`MetricsConfigurationIT` won't pass with version `1.13.6` as spring
class `OtlpMetricsProperties` requires `HistogramFlavor` and it is not
present in` 1.13.6`
@korthout korthout added the version:8.7.0 Marks an issue as being completely or in parts released in 8.7.0 label Apr 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@entangled90 entangled90 entangled90 approved these changes

Assignees

@npepinpe npepinpe

Labels

backport stable/8.6 Backport a pull request to stable/8.6 backport stable/8.7 Backport a pull request to stable/8.7 component/operate Related to the Operate component/team component/optimize Related to Optimize component/team component/tasklist Related to the Tasklist component/team component/zeebe Related to the Zeebe component/team version:8.6.12 version:8.7.0 Marks an issue as being completely or in parts released in 8.7.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@npepinpe @backport-action @entangled90 @korthout