beam-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dhalperi <...@git.apache.org>
Subject [GitHub] beam pull request #2934: [BEAM-2190] pom.xml: do a better job of dependency ...
Date Sat, 06 May 2017 01:24:57 GMT
GitHub user dhalperi opened a pull request:

    https://github.com/apache/beam/pull/2934

    [BEAM-2190] pom.xml: do a better job of dependency management

    Even if Beam appears to have the correct dependencies, we cannot
    guarantee that modules that depend on us transitively get the right
    dependencies. For example, even though grpc-protobuf-lite has
    protobuf-lite excluded, and the Maven Enforcer banned-dependencies
    check passes... if a user happens to get a transitive dependency on
    grpc-all first, they may pull in grpc-protobuf from that other source
    without the exclusion. Thus we need to exclude protobuf-lite from
    grpc-all as well.
    
    While we're here, also add guava-jdk5 to the set of banned dependencies,
    though (as above) we cannot currently properly identify the places it
    might be transitively exposed in a users' pom.xml.
    
    R: @davorbonaci 

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/dhalperi/beam banned-protobuf-lite

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/beam/pull/2934.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2934
    
----
commit 4d0c4563f8fe1fb6831d7090c12158f1155dccbd
Author: Dan Halperin <dhalperi@google.com>
Date:   2017-05-06T00:16:34Z

    [BEAM-2190] pom.xml: do a better job of dependency management
    
    Even if Beam appears to have the correct dependencies, we cannot
    guarantee that modules that depend on us transitively get the right
    dependencies. For example, even though grpc-protobuf-lite has
    protobuf-lite excluded, and the Maven Enforcer banned-dependencies
    check passes... if a user happens to get a transitive dependency on
    grpc-all first, they may pull in grpc-protobuf from that other source
    without the exclusion. Thus we need to exclude protobuf-lite from
    grpc-all as well.
    
    While we're here, also add guava-jdk5 to the set of banned dependencies,
    though (as above) we cannot currently properly identify the places it
    might be transitively exposed in a users' pom.xml.

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message