gemini-code-assist[bot] commented on code in PR #39297:
URL: https://github.com/apache/beam/pull/39297#discussion_r3566599979


##########
build.gradle.kts:
##########
@@ -1056,3 +1056,22 @@ if (project.hasProperty("testJavaVersion")) {
     }
   }
 }
+
+subprojects {
+  configurations {
+    configureEach {
+      resolutionStrategy {
+        dependencySubstitution {
+          // Substitute dependencies (including transitive) on 
org.lz4:lz4-java regardless of capability conflicts.
+          // All published versions of org.lz4:lz4-java have known 
vulnerabilities.
+          // At present, all versions of at.yawk.lz4:lz4-java <1.10.1 have 
known vulnerabilities.
+          // Substituting org.lz4:lz4-java ensures that at.yawk.lz4:lz4-java 
is always selected.
+          // Gradle resolves version conflicts by selecting the highest 
version by default.
+          // Gradle only resolves capability conflicts when multiple modules 
provide the same capability.
+          // This would allow org.lz4:lz4-java to still be selected, which is 
undesirable because of vulnerabilities.
+          
substitute(module("org.lz4:lz4-java")).using(module("at.yawk.lz4:lz4-java:1.10.1"))
+        }
+      }
+    }

Review Comment:
   ![medium](https://www.gstatic.com/codereviewagent/medium-priority.svg)
   
   There are two improvement opportunities in this block:
   
   1. **Performance Optimization**: Configuring the resolution strategy for 
every single configuration across all subprojects introduces unnecessary 
configuration overhead, especially for non-resolvable configurations (e.g., 
`api`, `implementation`, `compileOnly`). Restricting this to only resolvable 
configurations using `isCanBeResolved` improves build performance.
   2. **Centralized Dependency Management**: Hardcoding the version `1.10.1` 
directly in the root build script duplicates the dependency version definition 
and bypasses centralized dependency management. Defining this version in a 
centralized location (such as `gradle.properties`) and referencing it here 
using `project.findProperty` improves maintainability.
   
   ```kotlin
       configureEach {
         if (isCanBeResolved) {
           val lz4Version = project.findProperty("lz4.version") ?: "1.10.1"
           resolutionStrategy {
             dependencySubstitution {
               // Substitute dependencies (including transitive) on 
org.lz4:lz4-java regardless of capability conflicts.
               // All published versions of org.lz4:lz4-java have known 
vulnerabilities.
               // At present, all versions of at.yawk.lz4:lz4-java <1.10.1 have 
known vulnerabilities.
               // Substituting org.lz4:lz4-java ensures that 
at.yawk.lz4:lz4-java is always selected.
               // Gradle resolves version conflicts by selecting the highest 
version by default.
               // Gradle only resolves capability conflicts when multiple 
modules provide the same capability.
               // This would allow org.lz4:lz4-java to still be selected, which 
is undesirable because of vulnerabilities.
               
substitute(module("org.lz4:lz4-java")).using(module("at.yawk.lz4:lz4-java:$lz4Version"))
             }
           }
         }
       }
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to