Home > Software design >  Is it possible to enforce usage of specific library version through the whole project?
Is it possible to enforce usage of specific library version through the whole project?

Time:01-06

I'm trying to fix some vulnerabilities in my program found by Snyk tool, but some of them are coming from libraries I'm using (like Apache's Pulsar). For example, Pulsar is using version 2.8.6 of gson, which is vulnerable according to Snyk, and the next safe version is 2.8.9. Is it possible to enforce all libraries I'm using to use version 2.8.9 of gson (through gradle)? Or rather not because it's a really stupid idea prone to unexpected behavior?

Thanks

CodePudding user response:

This is a reasonable thing to want to do. A new version of pulsar which officially supports the upgraded library would be better, but you can often upgrade transitive dependencies safely. Particularly, point releases (i.e. 2.8.6 -> 2.8.9) are likely to be safe if library authors are following semantic versioning.

Gradle provides several ways to do this, it seems like the most idomatic way right now (as of gradle 7.3) is to use constraints.

For example, if your dependencies look like this:

dependencies {
  implementation 'org.apache.pulsar:pulsar-client-all:2.9.1'
}

Running dependency insights will show that we're resolving gson 2.8.6

`./gradlew dependencyInsight --dependency gson`


...

com.google.code.gson:gson:2.8.6
\--- org.apache.pulsar:pulsar-package-core:2.9.1
     \--- org.apache.pulsar:pulsar-client-all:2.9.1
          \--- compileClasspath

We can add a constraint which will force it to use a newer version like this.

dependencies {
  implementation 'org.apache.pulsar:pulsar-client-all:2.9.1'
  constraints {
        implementation('com.google.code.gson:gson:2.8.9') {
            because 'previous versions have a security vulnerability'
        }
  }
}

Now we get the following result

com.google.code.gson:gson:2.8.9
...
   Selection reasons:
      - By constraint : previous versions have a security vulnerability
      - By conflict resolution : between versions 2.8.9 and 2.8.6

com.google.code.gson:gson:2.8.9
\--- compileClasspath

com.google.code.gson:gson:2.8.6 -> 2.8.9
\--- org.apache.pulsar:pulsar-package-core:2.9.1
     \--- org.apache.pulsar:pulsar-client-all:2.9.1
          \--- compileClasspath

It's now resolving 2.8.9 like you want.

Gradle has pretty extensive documentation about dependency management which is a great way to find more information about things like this.

CodePudding user response:

Am not sure that this is a good idea , I think its a better idea to update the Apache's Pulsar version that depends on a stable version of gson .

but still am not 100% sure , wait for other for clarification .

still what you want can be done like the following

configurations.all {
    exclude group: 'com.google.code.gson:gson:2.8.6'
}

This will exclude all the gson with version 2.8.6 across the project .

then you can add the following version as you want

implementation 'com.google.code.gson:gson:2.8.9'

Page link:https//www.codepudding.com/Softwaredesign/252051.html

Prev:How I can find a checkbox element associated with a label
Next:Java "error: incompatible types: inference variable E has incompatible bounds" error
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding