Skip to content

fix: declare commons-codec as direct dependency in google-http-client#2168

Closed
lqiu96 wants to merge 1 commit into
mainfrom
fix-commons-codec-transitive
Closed

fix: declare commons-codec as direct dependency in google-http-client#2168
lqiu96 wants to merge 1 commit into
mainfrom
fix-commons-codec-transitive

Conversation

@lqiu96

@lqiu96 lqiu96 commented Jun 30, 2026

Copy link
Copy Markdown
Member

This ensures that consumers of google-http-client (like google-auth-library) resolve commons-codec to the intended version (1.14) instead of falling back to the transitive default from httpclient (1.11).

Verification

Below is the comparison of mvn dependency:tree on google-auth-library-oauth2-http before and after this change, demonstrating that commons-codec is now correctly resolved to 1.14 transitively.

Before (with google-http-client v2.1.1)

commons-codec resolved to 1.11 via httpclient:

[INFO] +- com.google.http-client:google-http-client:jar:2.1.1:compile
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.14:compile
[INFO] |  |  \- commons-codec:commons-codec:jar:1.11:compile

After

[INFO] +- com.google.http-client:google-http-client:jar:2.1.2-SNAPSHOT:compile
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.14:compile
[INFO] |  +- commons-codec:commons-codec:jar:1.14:compile

@product-auto-label product-auto-label Bot added the size: xs Pull request size is extra small. label Jun 30, 2026
This ensures that consumers of google-http-client (like google-auth-library)
resolve commons-codec to the intended version (1.14) instead of falling
back to the transitive default from httpclient (1.11).

TAG=agy
CONV=434bf939-537d-4929-a784-244f71a2b946
@lqiu96 lqiu96 force-pushed the fix-commons-codec-transitive branch from 82a71f1 to 1d4a477 Compare June 30, 2026 15:50
@lqiu96 lqiu96 requested a review from blakeli0 June 30, 2026 16:10
@lqiu96 lqiu96 marked this pull request as ready for review June 30, 2026 16:10
@lqiu96 lqiu96 requested a review from a team as a code owner June 30, 2026 16:10
@blakeli0

Copy link
Copy Markdown

This ensures that consumers of google-http-client (like google-auth-library) resolve commons-codec to the intended version (1.14) instead of falling back to the transitive default from httpclient (1.11).

I think it should be the consumer's responsibility to resolve to a higher version? For GAPIC client libraries, it should be fine since commons-codec is already managed. So maybe we manage the version in auth as well? In the future though, we should extract it to a high level so both auth and third-party-dependencies share the same versions.

@lqiu96

lqiu96 commented Jun 30, 2026

Copy link
Copy Markdown
Member Author

I think it should be the consumer's responsibility to resolve to a higher version?

Hmm, I would think this applies for direct dependencies that consumers need a newer version for or transitive deps pulled from repos where we can't change ourselves. It seems odd to have downstream libraries manage the versions for upstream transitive dependencies if the deps come from upstream repos we own.

I guess we already manage deps for a few transitive deps in shared-deps for better or worse and I'll keep with the pattern.

So maybe we manage the version in auth as well

Yeah, I'll update in auth bom for now

@lqiu96 lqiu96 closed this Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size: xs Pull request size is extra small.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants