我试图在 gradle 中强制执行一些依赖项,但我很难完成这项工作。
我阅读了文档并尝试了以下操作: https://docs.gradle.org/current/userguide/dependency_management.html#controlling_transitive_dependency
构建.gradle:
dependencies {
implementation (group: 'com.google.protobuf', name: 'protobuf-java-util', version: '3.19.4')
constraints {
implementation('com.google.code.gson:gson-2.8.9')
}
implementation (group: 'io.confluent', name: 'kafka-connect-s3', version: '5.5.7')
constraints {
implementation('com.google.code.gson:gson-2.8.9')
implementation('org.apache.hadoop:hadoop-common-3.3.1')
}
但是当我检查依赖项时,这完全被忽略了。 在这种情况下,我如何才能强制使用 2.8.9
$ ./gradlew -q dependencyInsight --dependency com.google.code.gson:gson
variant "compile" [
org.gradle.status = release (not requested)
org.gradle.usage = java-api
org.gradle.libraryelements = jar (compatible with: classes)
org.gradle.category = library
Requested attributes not found in the selected variant:
org.gradle.dependency.bundling = external
org.gradle.jvm.version = 8
]
Selection reasons:
- By conflict resolution : between versions 2.8.6 and 2.2.4
com.google.code.gson:gson:2.8.6
\--- com.google.protobuf:protobuf-java-util:3.19.4
\--- compileClasspath
com.google.code.gson:gson:2.2.4 -> 2.8.6
\--- org.apache.hadoop:hadoop-common:2.10.1
\--- io.confluent:kafka-connect-s3:5.5.7
\--- compileClasspath
A web-based, searchable dependency report is available by adding the --scan option.
通过输出,我发现我的约束甚至没有被考虑,所以有什么提示我可能做错了吗?
感谢您的任何反馈。
更新: 我设法以不同的方式完成这项工作,但我认为这不是你应该做的。
构建.gradle:
implementation (group: 'com.google.protobuf', name: 'protobuf-java-util', version: protobufVersion) {
exclude group: 'com.google.code.gson', module: 'gson'
}
implementation (group: 'io.confluent', name: 'kafka-connect-s3', version: confluentVersion) {
exclude group: 'org.apache.hadoop', module: 'hadoop-common'
}
implementation group: 'com.google.code.gson', name: 'gson', version: '2.8.9', transitive: true
implementation group: 'org.apache.hadoop', name: 'hadoop-common', version: '3.3.1', transitive: true
constraints {
implementation('com.google.code.gson:gson-2.8.9') {
because 'ADA-1033 and ADA-1042 (VULN-4102, VULN-4090)'
}
implementation('org.apache.hadoop:hadoop-common-3.3.1')
}
$ ./gradlew -q dependencyInsight --dependency com.google.code.gson:gson
variant "compile" [
org.gradle.status = release (not requested)
org.gradle.usage = java-api
org.gradle.libraryelements = jar (compatible with: classes)
org.gradle.category = library
Requested attributes not found in the selected variant:
org.gradle.dependency.bundling = external
org.gradle.jvm.version = 8
]
Selection reasons:
- By conflict resolution : between versions 2.8.9 and 2.2.4
com.google.code.gson:gson:2.8.9
\--- compileClasspath
com.google.code.gson:gson:2.2.4 -> 2.8.9
\--- org.apache.hadoop:hadoop-common:3.3.1
\--- compileClasspath
A web-based, searchable dependency report is available by adding the --scan option.
就像我说的,这似乎有效,但我认为如果我只是通过声明传递依赖来强制它成为某个版本,我什至不需要那里的约束块。我仍然想了解为什么我的第一个示例不起作用。
这里需要注意的一件事是,这里的
constraints{}implementationconstraintsdependencies {
implementation (group: 'com.google.protobuf', name: 'protobuf-java-util', version: '3.19.4')
implementation (group: 'io.confluent', name: 'kafka-connect-s3', version: '5.5.7')
constraints {
implementation('com.google.code.gson:gson-2.8.9')
implementation('org.apache.hadoop:hadoop-common-3.3.1')
}
}
其次,您的约束中的版本语法是错误的。当您需要冒号时,您可以使用连字符。所以正确的语法是:
constraints {
implementation('com.google.code.gson:gson:2.8.9')
implementation('org.apache.hadoop:hadoop-common:3.3.1')
}
您可以在 mvnrepository 上找到所需的确切语法片段 https://mvnrepository.com/artifact/com.google.code.gson/gson/2.8.9#gradle-short https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-common/3.3.1#gradle-short
所以要使用的配置是
dependencies {
implementation (group: 'com.google.protobuf', name: 'protobuf-java-util', version: '3.19.4')
implementation (group: 'io.confluent', name: 'kafka-connect-s3', version: '5.5.7')
constraints {
implementation('com.google.code.gson:gson:2.8.9')
implementation('org.apache.hadoop:hadoop-common:3.3.1')
}
}