sjvanrossum commented on code in PR #39297:
URL: https://github.com/apache/beam/pull/39297#discussion_r3567067456
##########
build.gradle.kts:
##########
@@ -1056,3 +1056,22 @@ if (project.hasProperty("testJavaVersion")) {
}
}
}
+
+subprojects {
+ configurations {
+ configureEach {
+ resolutionStrategy {
+ dependencySubstitution {
+ // Substitute dependencies (including transitive) on
org.lz4:lz4-java regardless of capability conflicts.
+ // All published versions of org.lz4:lz4-java have known
vulnerabilities.
+ // At present, all versions of at.yawk.lz4:lz4-java <1.10.1 have
known vulnerabilities.
+ // Substituting org.lz4:lz4-java ensures that at.yawk.lz4:lz4-java
is always selected.
+ // Gradle resolves version conflicts by selecting the highest
version by default.
+ // Gradle only resolves capability conflicts when multiple modules
provide the same capability.
+ // This would allow org.lz4:lz4-java to still be selected, which is
undesirable because of vulnerabilities.
+
substitute(module("org.lz4:lz4-java")).using(module("at.yawk.lz4:lz4-java:1.10.1"))
+ }
+ }
+ }
Review Comment:
Suggestion 1 is not commonly applied as far as I can tell from other Gradle
projects.
Suggestion 2 seems fair given that all versions are defined in
`BeamModulePlugin.groovy`, but it doesn't look particularly elegant:
```kotlin
var lz4Java = (project.ext.get("library") as Map<String, Map<String,
*>>).get("java")!!.get("lz4_java").toString()
subprojects {
configurations {
configureEach {
resolutionStrategy {
dependencySubstitution {
// Substitute dependencies (including transitive) on
org.lz4:lz4-java regardless of capability conflicts.
// All published versions of org.lz4:lz4-java have known
vulnerabilities.
// At present, all versions of at.yawk.lz4:lz4-java <1.10.1 have
known vulnerabilities.
// Substituting org.lz4:lz4-java ensures that at.yawk.lz4:lz4-java
is always selected.
// Gradle resolves version conflicts by selecting the highest
version by default.
// Gradle only resolves capability conflicts when multiple modules
provide the same capability.
// This would allow org.lz4:lz4-java to still be selected, which
is undesirable because of vulnerabilities.
substitute(module("org.lz4:lz4-java")).using(module(lz4Java))
}
}
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]