okhttp icon indicating copy to clipboard operation
okhttp copied to clipboard

Published 20 hours ago verified publisher icon square

okio as a dependency changed artifactId in 4.10.x release

Open honnix opened this issue 2 years ago • 9 comments

Since 4.10.0 release, okio, as a dependency, has been changed to okio-jvm from okio. https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp/4.10.0 vs https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp/4.9.3

This is problematic because build tools like maven and gradle will treat them as two different artifacts and pull both of them as dependencies.

As an example:

  <dependencies>
    <dependency>
      <groupId>com.squareup.okio</groupId>
      <artifactId>okio</artifactId>
      <version>2.9.0</version>
    </dependency>
    <dependency>
      <groupId>com.squareup.okhttp3</groupId>
      <artifactId>okhttp</artifactId>
      <version>4.10.0</version>
    </dependency>
  </dependencies>

Will result in both okio-2.9.0.jar and okio-jvm-3.0.0.jar being pulled in as dependencies, while otherwise build tools will only pick up one of those (version resolution is a different story and things like maven-enforcer-plugin will not help in this case). The problem gets harder to be discovered if okio is introduced as a transitive dependency by another artifact.

We also noticed this was reverted in 5.x, see https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp/5.0.0-alpha.9. So maybe this was introduced accidentally?

honnix avatar Jun 22 '22 10:06 honnix

Also related https://github.com/square/okio/issues/1067#issuecomment-1041591598 and https://github.com/square/okio/issues/1121

klaraward avatar Jun 22 '22 13:06 klaraward

This is the PR that bumped okio from 2.9 to 3 - https://github.com/square/okhttp/pull/7225

klaraward avatar Jun 22 '22 13:06 klaraward

Fixed in https://github.com/square/okhttp/pull/7354

yschimke avatar Jun 27 '22 08:06 yschimke

@yschimke Thanks for looking into this.

Could you please help me understand how #7354 fixes this issue? As I understood #7354 creates a dependency from okhttp to okhttp-jvm so current Maven users depending on okhttp will not need to change their dependency when upgrading to later okhttp version.

However, since okhttp-jvm depends on okio-jvm, Maven users having both okio and okhttp as dependencies will still end up with pulling in both okio and okio-jvm into classpath, is the right?

Also I see the PR was made towards the main branch so 4.x will not get it.

Let me try to understand the path moving forwards. Is it true starting from okhttp 5.x, using okhttp-jvm together with okio-jvm is the correct way for JVM platform? If that is the case I think #7354 might not help create the awareness.

Was it intended to introduce the similar change to 4.10.x (depending on okio-jvm)? I can understand having this type of change in a major release, but for a minor release it seems too aggressive. Is it possible to revert upgrading okio in 4.10.x?

Thanks again for looking into this issue.

honnix avatar Jun 27 '22 08:06 honnix

OK I see https://square.github.io/okio/changelog/#version-320 (https://github.com/square/okio/pull/1125) has a similar change. So maybe you could release 4.10.1 to depend on okio-3.2.0 instead of okio-jvm-3.0.0?

honnix avatar Jun 27 '22 08:06 honnix

Yep, sorry, you are right, will require a bump and release.

yschimke avatar Jun 27 '22 10:06 yschimke

Thank you so much! Looking forwards to a new release. Also thanks for working on the workaround to help users migrate.

honnix avatar Jun 27 '22 10:06 honnix

Yep! I wanna release 4.11.0 that depends on Okio 3.2.0.

swankjesse avatar Jun 27 '22 11:06 swankjesse

Yep! I wanna release 4.11.0 that depends on Okio 3.2.0.

@swankjesse When will 4.11.0 be released to fix this?

Our project has both okio:1.12.0 and okio-jvm:3.0.0. When util.kt loads the okio.Options class in okio:1.12.0, it will trigger java.lang.NoSuchFieldError: Companion.

tianshuang avatar Sep 13 '22 15:09 tianshuang