dependency-analysis-gradle-plugin icon indicating copy to clipboard operation
dependency-analysis-gradle-plugin copied to clipboard

Published 20 hours ago verified publisher icon autonomousapps

Plugin silently gives wrong advices when different versions of a dependency are used in different source sets of the same project

Open jjohannes opened this issue 2 years ago • 3 comments
trafficstars

Build scan link

https://scans.gradle.com/s/lyx5rjpyqfnhu/console-log

Plugin version

1.21.0

Gradle version

7.6.1

reason output for bugs relating to incorrect advice

https://scans.gradle.com/s/lyx5rjpyqfnhu/console-log?page=1#L304

Describe the bug

If there are different versions of a dependencies for different source sets (in the example junit-jupiter-api:5.9.0 vs junit-jupiter-api:5.9.1) only one of the Jars is analyzed. In the example 5.9.0 is used. Then this does not match in cases where 5.9.1 is in the dependency graph and the plugin assumes "an empty Jar" (for 5.9.1). As result, the plugin gives the wrong advice to remove the dependencies to junit-jupiter-api in such cases. In the example, it advices to remove testImplementation although src/test/java is using it.

https://scans.gradle.com/s/lyx5rjpyqfnhu/dependencies?dependencies=junit-jupiter-api&expandAll&projectFilter=WyI6YXBwIl0

To Reproduce I am not yet sure if this happens every time in such a situation or if there are some special circumstances causing this. I'll provide a reproducer later.

Expected behavior

I don't think this necessarily needs to be supported in all cases. Having consistent versioning in one build is what is desired in most cases. It's just easily missed. IMO, it would also be fine to fail in some form if the plugin can detect such a case it cannot handle.

Just the wrong advice you get right now is confusing.

jjohannes avatar Aug 29 '23 07:08 jjohannes

I suspect this might be fixed in 1.24.0. I found a bug relating to version skew with external dependencies, in a different context than this, and fixed it. Can you test?

autonomousapps avatar Oct 01 '23 19:10 autonomousapps

I can confirm that the problem is gone with 1.24.0 in the project setup where I faced this

jjohannes avatar Oct 02 '23 07:10 jjohannes

Sorry I was mistaken. Problem still exists. New scan with 1.24.0:

https://scans.gradle.com/s/dvnrv3xf5xehy/console-log?page=1#L303

jjohannes avatar Oct 02 '23 07:10 jjohannes

@jjohannes here's a reproducer, I think: https://github.com/autonomousapps/dependency-analysis-gradle-plugin/pull/1191

autonomousapps avatar May 23 '24 22:05 autonomousapps