bonampak commented on PR #992: URL: https://github.com/apache/knox/pull/992#issuecomment-2672185075
Okhttp 4.x is written in Kotlin and needs the kotlin-stdlib artifacts. The com.cloudera.api.swagger:cloudera-manager-api-swagger:7.13.1 brings in ``` <gson-fire-version>1.8.5</gson-fire-version> <swagger-core-version>2.0.0</swagger-core-version> <okhttp-version>4.10.0</okhttp-version> <gson-version>2.10.1</gson-version> ``` Okhttp 4.10 is not the latest, but the swagger-codegen library only has this option. From the CM part, they would have liked to set the okhttp3 version to 4.12. but swagger-codegen is bringing internally version 4.10 https://github.com/swagger-api/swagger-codegen/blob/master/modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/JavaClientCodegen.java#L89 https://github.com/swagger-api/swagger-codegen/issues/12337 (It seems that openapi-generator with okhttp 4.12 - gson or with httpclient 5 could be used instead of swagger-codegen.) So we need to bump okhttp to 4.12.0, and I was also asked to upgrade gson-fire to 1.9.0; the latter has a gson:2.10.1 dependency (we had 2.8.9). The kotlin libraries are upgraded to 1.9.10 because of dependency convergence issues: ``` Dependency convergence error for org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.8.21 paths to dependency are: +-org.apache.knox:gateway-discovery-cm:2.1.0-SNAPSHOT +-com.cloudera.api.swagger:cloudera-manager-api-swagger:7.13.1 +-com.squareup.okhttp3:logging-interceptor:4.12.0 +-org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.8.21 and +-org.apache.knox:gateway-discovery-cm:2.1.0-SNAPSHOT +-com.squareup.okhttp3:okhttp:4.12.0 +-com.squareup.okio:okio:3.6.0 +-com.squareup.okio:okio-jvm:3.6.0 +-org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.10 and +-org.apache.knox:gateway-discovery-cm:2.1.0-SNAPSHOT +-com.squareup.okhttp3:okhttp:4.12.0 +-org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.8.21 ``` https://github.com/square/okhttp/issues/8288 "OkHttp 4.12.0 expects you to use any version of kotlin greater than or equal to 1.8.21. We don't rush out a release each time okio releases with a newer Kotlin. This isn't a thing we worry about at all." ... "It's already fixed in the 5.0 alphas.". Due to these issues, teams either remain on the latest non-kotlin version or remove okhttp: https://issues.apache.org/jira/browse/HADOOP-18496 upgrade kotlin-stdlib due to CVEs https://issues.apache.org/jira/browse/HADOOP-18890 Remove use of okhttp in runtime code. org.jetbrains:annotations also needed to be resolved: ``` Dependency convergence error for org.jetbrains:annotations:16.0.2 paths to dependency are: +-org.apache.knox:gateway-discovery-cm:2.1.0-SNAPSHOT +-org.apache.knox:gateway-server:2.1.0-SNAPSHOT +-org.jetbrains.pty4j:pty4j:0.11.4 +-org.jetbrains:annotations:16.0.2 and +-org.apache.knox:gateway-discovery-cm:2.1.0-SNAPSHOT +-com.squareup.okhttp3:okhttp:4.12.0 +-org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.10 +-org.jetbrains.kotlin:kotlin-stdlib:1.9.10 +-org.jetbrains:annotations:13.0 ``` I excluded it from kotlin-stdlib because by simply adding to dependencyManagement would cause it to become a compile-time dependency on pty4j. The okio dependency was pinned to 3.6.0 because of this: ``` Dependency convergence error for com.squareup.okio:okio:1.6.0 paths to dependency are: +-org.apache.knox:gateway-test-release:2.1.0-SNAPSHOT +-org.apache.hadoop:hadoop-hdfs-client:3.2.4 +-com.squareup.okhttp:okhttp:2.7.5 +-com.squareup.okio:okio:1.6.0 and +-org.apache.knox:gateway-test-release:2.1.0-SNAPSHOT +-org.apache.knox:gateway-release:2.1.0-SNAPSHOT +-org.apache.knox:gateway-discovery-cm:2.1.0-SNAPSHOT +-com.squareup.okhttp3:okhttp:4.12.0 +-com.squareup.okio:okio:3.6.0 ``` hadoop-hdfs-client is a test dependency (so the old okhttp:2.7.5 will not be in our release artifact dependencies) and okio is backwards-compatible: https://github.com/square/okio/issues/1323 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
