Redundant dependency on `protobuf-java` can be removed to solve dependency convergence error #29

detouched · 2024-09-06T00:23:40Z

Enforcer plugin reports dependency convergence issue for Stasig SDK:

Dependency convergence error for com.google.protobuf:protobuf-java:3.25.3 paths to dependency are:
+-org.detouched.playground:statsig:1.0-SNAPSHOT
  +-com.statsig:serversdk:1.25.0
    +-io.grpc:grpc-protobuf:1.66.0
      +-com.google.protobuf:protobuf-java:3.25.3
and
+-org.detouched.playground:statsig:1.0-SNAPSHOT
  +-com.statsig:serversdk:1.25.0
    +-io.grpc:grpc-protobuf:1.66.0
      +-com.google.api.grpc:proto-google-common-protos:2.41.0
        +-com.google.protobuf:protobuf-java:3.25.3
and
+-org.detouched.playground:statsig:1.0-SNAPSHOT
  +-com.statsig:serversdk:1.25.0
    +-com.google.protobuf:protobuf-java:3.24.4

This can be solved by manually excluding transitive dependency on protobuf-java and explicitly adding a direct dependency on it, but this means I'll have to keep an eye on the version compatibility in the future which isn't great.

Since io.grpc:grpc-protobuf already pulls in com.google.protobuf:protobuf-java, it doesn't make much sense to keep an explicit dependency on the latter in Gradle config unless it was added to avoid some vulnerability. I don't think it is the case, so maybe it's worth removing it?

The text was updated successfully, but these errors were encountered:

xinlili-statsig · 2024-09-24T17:35:09Z

Thanks for reporting, yea, we should be able to remove this dependency explicitly

xinlili-statsig · 2024-10-03T17:38:40Z

Hi this is fixed with the latest version

detouched changed the title ~~Redundant dependency on protobuf-java can be removed to solve dependency convergence~~ Redundant dependency on protobuf-java can be removed to solve dependency convergence error Sep 6, 2024

detouched mentioned this issue Sep 8, 2024

Remove redundant dependency #30

Open

xinlili-statsig closed this as completed Oct 3, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Redundant dependency on `protobuf-java` can be removed to solve dependency convergence error #29

Redundant dependency on `protobuf-java` can be removed to solve dependency convergence error #29

detouched commented Sep 6, 2024

xinlili-statsig commented Sep 24, 2024

xinlili-statsig commented Oct 3, 2024

Redundant dependency on protobuf-java can be removed to solve dependency convergence error #29

Redundant dependency on protobuf-java can be removed to solve dependency convergence error #29

Comments

detouched commented Sep 6, 2024

xinlili-statsig commented Sep 24, 2024

xinlili-statsig commented Oct 3, 2024

Redundant dependency on `protobuf-java` can be removed to solve dependency convergence error #29

Redundant dependency on `protobuf-java` can be removed to solve dependency convergence error #29