Skip to content

Explore ways to publish useful dependency metadata #23486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bclozel opened this issue Aug 19, 2019 · 3 comments
Closed

Explore ways to publish useful dependency metadata #23486

bclozel opened this issue Aug 19, 2019 · 3 comments
Labels
status: declined A suggestion or change that we don't feel we should currently apply

Comments

@bclozel
Copy link
Member

bclozel commented Aug 19, 2019

While refactoring the Spring Framework build in #23282, we've found that the optional dependencies published with the POMs are misleading. As seen in #23234, some developers consider this information as:

  • telling how a Spring application should consume Framework dependencies,
  • recommendations about versions
  • how to enable support for a particular library, etc.

As describe in #23234 (comment) we've found that many published optional dependencies are misleading in that sense. The Maven reference documentation states that optional means:

In the shortest terms, optional lets other projects know that, when you use this project, you do not require this dependency in order to work correctly.

Instead of providing information that is misinterpreted by developers, the team decided to not publish that information. Note that the Spring Framework project not only still publishes a valid POM, but also that it's being built with Gradle and that mapping a custom Gradle configuration to a Maven optional scope was dubious in the first place.

The Spring Framework team will explore other ways to publish useful metadata for consumer projects.
@bclozel bclozel added the type: task A general task label Aug 19, 2019
@bclozel bclozel added this to the 5.2 RC2 milestone Aug 19, 2019
@bclozel bclozel self-assigned this Aug 19, 2019
@bclozel
Copy link
Member Author

bclozel commented Aug 19, 2019
edited
Loading

See 561af5f

@bclozel bclozel closed this as completed Aug 19, 2019
@bclozel bclozel mentioned this issue Aug 20, 2019
Closed
@bclozel bclozel changed the title Remove optional dependencies from published POMs Explore ways to publish useful metadata Aug 20, 2019
@bclozel bclozel reopened this Aug 20, 2019
@rstoyanchev rstoyanchev changed the title Explore ways to publish useful metadata Explore ways to publish useful dependency metadata Aug 20, 2019
@bclozel
Copy link
Member Author

bclozel commented Aug 22, 2019

Rather than publishing information about how Spring Framework has been built, we'd rather try and provide useful information for consumers.

We could provide information about:

  1. 3rd party libraries compatibility and support
  2. Spring Framework spec requirements

Case 1) is interesting, but I think it was covered by the now retired Spring IO Platform; it's been replaced with the Spring Boot BOM, which can be used by non-Spring Boot projects. The advantage of that approach is that the Spring Boot team has a semi-automated process for updating 3rd party dependencies and is checking compatibility with a large test suite. The Spring Framework build cannot compete here.

Case 2) is currently taken care of with wiki pages for each Spring Framework generation, as checking such requirements is tied to migrating to newer framework generations (here is the 5.x generation section). We can also think about important dependencies such as Kotlin, Reactor, etc.

Spring Framework is very flexible, so almost everything is optional and supported version ranges are often quite large.

Maybe we could use the Spring Framework Maven BOM to publish additional metadata, as such requirements are not linked to a particular project module, but to the whole framework.

Adding metadata to our Java Platform?

We're already publishing version constraints for all the Spring Framework modules, maybe there is a way to have additional information there?

Here's an example with the Servlet spec:

dependencies {
	constraints {
		// publish constraints for all Spring Framework modules
		parent.moduleProjects.sort { "$it.name" }.each {
			api it
		}
		// declare additional constraints
		runtime('javax.servlet:javax.servlet-api') {
			version {
				require '3.1.0'
				prefer '4.0'
			}
			because 'Spring Framework requires Servlet 3.1+'
		}
	}
}

Such metadata involves a lossy process when exported to the Maven BOM, and this results in:

      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-websocket</artifactId>
        <version>5.2.0.BUILD-SNAPSHOT</version>
        <scope>compile</scope>
      </dependency>
      <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>javax.servlet-api</artifactId>
        <version>3.1.0</version>
        <scope>runtime</scope>
      </dependency>
    </dependencies>
  </dependencyManagement>
</project>

So I'm wondering if that's really where we want to go. As far as I understand, unless you're publishing "a platform" like the Spring Boot BOM, you should only list dependencies that you're publishing yourself and avoid unwanted interactions with other BOMs.

@bclozel bclozel modified the milestones: 5.2 RC2, 5.x Backlog Sep 2, 2019
@bclozel bclozel added status: declined A suggestion or change that we don't feel we should currently apply and removed type: task A general task labels Apr 1, 2020
@bclozel bclozel removed this from the 5.x Backlog milestone Apr 1, 2020
@bclozel bclozel removed their assignment Apr 1, 2020
@bclozel
Copy link
Member Author

bclozel commented Apr 1, 2020

We didn't find proper ways to express that information in our build, so it can't be exported as part of our artifacts metadata. I'm closing this issue as we won't solve this.

@bclozel bclozel closed this as completed Apr 1, 2020
artembilan added a commit to artembilan/spring-kafka that referenced this issue Jul 11, 2022
@artembilan
Remove provided deps from the target POM
f03c1ae 
Related to spring-projects/spring-framework#23486

We have this `providedApi 'org.junit.platform:junit-platform-launcher'`
where its `version` is resolved from `mavenBom "org.junit:junit-bom:$junitJupiterVersion"`.
When we generate a Maven POM, this kind of dependency is present as an `optional` by default.
We previously have overridden this to the `provided`, but it comes without a `version`.

According to Spring Framework decision this kind of transitive dependencies are misleading.

* Remove any `provided` deps in Gradle from the target POM altogether
@artembilan artembilan mentioned this issue Jul 11, 2022
Merged
garyrussell pushed a commit to spring-projects/spring-kafka that referenced this issue Jul 13, 2022
@artembilan @garyrussell
Remove provided deps from the target POM
6d4cba5 
Related to spring-projects/spring-framework#23486

We have this `providedApi 'org.junit.platform:junit-platform-launcher'`
where its `version` is resolved from `mavenBom "org.junit:junit-bom:$junitJupiterVersion"`.
When we generate a Maven POM, this kind of dependency is present as an `optional` by default.
We previously have overridden this to the `provided`, but it comes without a `version`.

According to Spring Framework decision this kind of transitive dependencies are misleading.

* Remove any `provided` deps in Gradle from the target POM altogether
@sdeleuze sdeleuze mentioned this issue Sep 23, 2022
Closed
@bclozel bclozel mentioned this issue Jul 25, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: declined A suggestion or change that we don't feel we should currently apply
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bclozel