Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-41631

Use requireUpperBoundDeps in plugin POM


      The dependencies in plugin POMs are typically a mess, especially when deep dependency trees are in use, as is typical for Pipeline suite components. The problem is Maven's transitive dependency resolution algorithm, which prefers the "nearest" version, even if it is older than what some other dependency requires. This does not work well for plugin dependencies in particular, and Jenkins 2.19.x and newer will in fact refuse to load plugins which fail to satisfy their dependencies, rather than producing cryptic linkage errors later. You can see this behavior via

      mvn -Djenkins.version=2.19.3 -Dtest=InjectedTest test

      Probably the best way forward is to use the Enforcer plugin to require upper bound dependencies. You can try this in a single plugin:

                          <rules combine.children="append">

      I think andresrc tried adding this to the parent POM before but ran into issues. While it does detect plugin version mismatches, it also detects some problems that are apparently harmless (and currently RequireUpperBoundDeps has no excludes option). In particular I note from workflow-aggregator as an example:

      • jenkins-core depends on com.google.guava:guava:11.0.1, which we would like to retain in plugin test classpaths for fidelity to runtime behavior, yet Stapler depends on 14.0
      • that old Guava depends on com.google.code.findbugs:jsr305:1.3.9, whereas we would prefer Stapler's 2.0.1 (at least)
      • org.kohsuke:github-api depends on com.infradna.tool:bridge-method-annotation:1.14, newer than core
      • net.sourceforge.htmlunit:htmlunit and org.apache.httpcomponents:httpclient depend on commons-logging:commons-logging:1.2, newer than core's 1.1.3
      • org.jenkins-ci.lib:lib-jenkins-maven-embedder, used from org.jenkins-ci.main:jenkins-test-harness, depends on org.apache.ant:ant:1.9.2 while core still uses 1.8.4
      • org.jenkins-ci.lib:lib-jenkins-maven-embedder also uses org.codehaus.plexus:plexus-utils:3.0.10, newer than the 2.1 used by other paths in jenkins-test-harness; there is a similar problem with org.codehaus.plexus:plexus-classworlds 2.4 vs. 2.4.2

      The Stapler-vs.-core conflict probably cannot be resolved in historical core baselines, so we may need to patch the Enforcer to allow an excludes list. Some of the other conflicts look solvable.

            jglick Jesse Glick
            jglick Jesse Glick
            2 Vote for this issue
            8 Start watching this issue