I am using a recent dependency of grpc-netty.
The issue is it is bringing older versions of io.netty dependencies (4.1.27)
I looked in the grpc-netty project and the used io.netty dependency version is 4.1.63.
Any idea what can be the reason for having this dependencies bring older versions of transitive dependencies?
Thank you
Asked
Active
Viewed 1,616 times
0
Siri
- 97
- 10
-
Post your pom.xml – seenukarthi Feb 12 '22 at 04:27
-
Please show your full pom file... I suppose you or an other dependencies / bom is bringing it in... – khmarbaise Feb 12 '22 at 13:08
2 Answers
2
Maven does not compare version numbers when choosing a version of a dependency. It simply chooses the first version it encounters when performing a breadth-first search. For this reason, gRPC team strongly recommends using Maven enforcers requireUpperBoundDeps to let you detect issues like the one you face:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>1.4.1</version>
<executions>
<execution>
<id>enforce</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<requireUpperBoundDeps/>
</rules>
</configuration>
</execution>
</executions>
</plugin>
Then, to fix issues there are two approaches:
- Reorder dependency list or re-define transitive dependencies
- Use a BOM
(1) targets the breadth-first search of Maven to have the version you want to be "seen" first by Maven's search. For example, you could reorder netty-handler before grpc-netty in your <dependencies>, then Maven will encounter it first and choose its direct dependencies before grpc-netty's direct dependencies. When you can't reorder to resolve issues you can add an explicit dependency on a transitive dependency to explicitly choose its version. For example, you could add netty-resolver with version 4.1.51.Final in your <dependencies>.
(2) is for multi-artifact projects like gRPC and Netty, where you really want the versions of the various artifacts to agree. You generally don't want to use netty-buffer 4.1.51.Final with netty-codec-http2 4.1.27.Final; you want them the same version. In these cases you can check whether the project has a BOM. Both gRPC and Netty have BOMs. With a BOM you would select the version to use once for all the various artifacts in that project. BOMs are defined in the <dependencyManagement> section, which is a separate section than <dependencies>.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-bom</artifactId>
<version>4.1.51.Final</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
...
Whatever you do, don't exclude. Exclusions cause dependency trouble later because they hide the transitive dependencies. If a newer version of gRPC depends on a newer version of Netty, then you'd end up downgrading Netty. And at that point build tools can no longer detect or manage the problem; you'll only discover such issues at runtime.
It is clear from what you've shown that something more is going on in your pom.xml; you really need to share more of your pom to diagnose. But with the other answers telling you to exclude I wanted to show the more appropriate ways of resolving.
Eric Anderson
- 24,057
- 5
- 55
- 76
0
<dependency>
<groupId>xxx</groupId>
<artifactId>xxx</artifactId>
<exclusions>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-codec-http2</artifactId>
</exclusion>
</exclusions>
</dependency>
You need exclusions tag
-
@Elikill58, Are you able to answer this question by any chance? https://stackoverflow.com/questions/71104529/can-maven-run-both-cucumber-junit-and-testng-runners-together – The man Feb 13 '22 at 20:40
-
@Theman No, sorry I'm not so strong for your question. Your question seems fine, but I don't think it's a good idea to make ad for it on other posts – Elikill58 Feb 13 '22 at 21:06