fix: declare commons-codec as direct dependency in google-http-client#2168
fix: declare commons-codec as direct dependency in google-http-client#2168lqiu96 wants to merge 1 commit into
Conversation
This ensures that consumers of google-http-client (like google-auth-library) resolve commons-codec to the intended version (1.14) instead of falling back to the transitive default from httpclient (1.11). TAG=agy CONV=434bf939-537d-4929-a784-244f71a2b946
82a71f1 to
1d4a477
Compare
I think it should be the consumer's responsibility to resolve to a higher version? For GAPIC client libraries, it should be fine since commons-codec is already managed. So maybe we manage the version in auth as well? In the future though, we should extract it to a high level so both auth and third-party-dependencies share the same versions. |
Hmm, I would think this applies for direct dependencies that consumers need a newer version for or transitive deps pulled from repos where we can't change ourselves. It seems odd to have downstream libraries manage the versions for upstream transitive dependencies if the deps come from upstream repos we own. I guess we already manage deps for a few transitive deps in shared-deps for better or worse and I'll keep with the pattern.
Yeah, I'll update in auth bom for now |
This ensures that consumers of google-http-client (like google-auth-library) resolve commons-codec to the intended version (1.14) instead of falling back to the transitive default from httpclient (1.11).
Verification
Below is the comparison of
mvn dependency:treeongoogle-auth-library-oauth2-httpbefore and after this change, demonstrating thatcommons-codecis now correctly resolved to1.14transitively.Before (with google-http-client v2.1.1)
commons-codecresolved to1.11viahttpclient:After