Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-41631

Use requireUpperBoundDeps in plugin POM

    XMLWordPrintable

Details

    Description

      The dependencies in plugin POMs are typically a mess, especially when deep dependency trees are in use, as is typical for Pipeline suite components. The problem is Maven's transitive dependency resolution algorithm, which prefers the "nearest" version, even if it is older than what some other dependency requires. This does not work well for plugin dependencies in particular, and Jenkins 2.19.x and newer will in fact refuse to load plugins which fail to satisfy their dependencies, rather than producing cryptic linkage errors later. You can see this behavior via

      mvn -Djenkins.version=2.19.3 -Dtest=InjectedTest test
      

      Probably the best way forward is to use the Enforcer plugin to require upper bound dependencies. You can try this in a single plugin:

          <build>
              <plugins>
                  <plugin>
                      <groupId>org.apache.maven.plugins</groupId>
                      <artifactId>maven-enforcer-plugin</artifactId>
                      <configuration>
                          <rules combine.children="append">
                              <requireUpperBoundDeps/>
                          </rules>
                      </configuration>
                  </plugin>
              </plugins>
          </build>
      

      I think andresrc tried adding this to the parent POM before but ran into issues. While it does detect plugin version mismatches, it also detects some problems that are apparently harmless (and currently RequireUpperBoundDeps has no excludes option). In particular I note from workflow-aggregator as an example:

      • jenkins-core depends on com.google.guava:guava:11.0.1, which we would like to retain in plugin test classpaths for fidelity to runtime behavior, yet Stapler depends on 14.0
      • that old Guava depends on com.google.code.findbugs:jsr305:1.3.9, whereas we would prefer Stapler's 2.0.1 (at least)
      • org.kohsuke:github-api depends on com.infradna.tool:bridge-method-annotation:1.14, newer than core
      • net.sourceforge.htmlunit:htmlunit and org.apache.httpcomponents:httpclient depend on commons-logging:commons-logging:1.2, newer than core's 1.1.3
      • org.jenkins-ci.lib:lib-jenkins-maven-embedder, used from org.jenkins-ci.main:jenkins-test-harness, depends on org.apache.ant:ant:1.9.2 while core still uses 1.8.4
      • org.jenkins-ci.lib:lib-jenkins-maven-embedder also uses org.codehaus.plexus:plexus-utils:3.0.10, newer than the 2.1 used by other paths in jenkins-test-harness; there is a similar problem with org.codehaus.plexus:plexus-classworlds 2.4 vs. 2.4.2

      The Stapler-vs.-core conflict probably cannot be resolved in historical core baselines, so we may need to patch the Enforcer to allow an excludes list. Some of the other conflicts look solvable.

      Attachments

        Issue Links

          Activity

            Code changed in jenkins
            User: Jesse Glick
            Path:
            pom.xml
            http://jenkins-ci.org/commit/plugin-pom/0782ed6172638173dadb4f5d38cd9d7a8db6e3f7
            Log:
            JENKINS-41631 Work better with new cores.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml http://jenkins-ci.org/commit/plugin-pom/0782ed6172638173dadb4f5d38cd9d7a8db6e3f7 Log: JENKINS-41631 Work better with new cores.

            Code changed in jenkins
            User: Jesse Glick
            Path:
            pom.xml
            http://jenkins-ci.org/commit/plugin-pom/d05e6ad500223d7426a93c75e3f1907a5b50a17b
            Log:
            Merge pull request #73 from jglick/requireUpperBoundDeps-JENKINS-41631

            JENKINS-41631 Make requireUpperBoundDeps work better with new cores

            Compare: https://github.com/jenkinsci/plugin-pom/compare/e245b2e2b919...d05e6ad50022

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml http://jenkins-ci.org/commit/plugin-pom/d05e6ad500223d7426a93c75e3f1907a5b50a17b Log: Merge pull request #73 from jglick/requireUpperBoundDeps- JENKINS-41631 JENKINS-41631 Make requireUpperBoundDeps work better with new cores Compare: https://github.com/jenkinsci/plugin-pom/compare/e245b2e2b919...d05e6ad50022

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/pom.xml
            pom.xml
            test/pom.xml
            war/pom.xml
            http://jenkins-ci.org/commit/jenkins/b8f6246d7600a6e7d8b732da9c3153fb33f5ddde
            Log:
            JENKINS-41631 Enforce upper bound deps on Jenkins core (#2956)

            • stapler 1.252
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/pom.xml pom.xml test/pom.xml war/pom.xml http://jenkins-ci.org/commit/jenkins/b8f6246d7600a6e7d8b732da9c3153fb33f5ddde Log: JENKINS-41631 Enforce upper bound deps on Jenkins core (#2956) JENKINS-41631 Enforce upper bound deps on Jenkins core. stapler 1.252
            oleg_nenashev Oleg Nenashev added a comment -

            The fix has been integrated towards Jenkins 2.74

            oleg_nenashev Oleg Nenashev added a comment - The fix has been integrated towards Jenkins 2.74

            Code changed in jenkins
            User: Jesse Glick
            Path:
            pom.xml
            http://jenkins-ci.org/commit/parameterized-trigger-plugin/95056c1d3460da6bf207f9b56f7e97648d7a9754
            Log:
            JENKINS-41631 Demonstration of POM update (#113)

            • plugin-pom 2.31
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml http://jenkins-ci.org/commit/parameterized-trigger-plugin/95056c1d3460da6bf207f9b56f7e97648d7a9754 Log: JENKINS-41631 Demonstration of POM update (#113) JENKINS-41631 Demonstration of POM update. plugin-pom 2.31

            People

              jglick Jesse Glick
              jglick Jesse Glick
              Votes:
              2 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: