
<p></p>


<h3>Description</h3>

<p>The gradle build needs to be more strict about excluding transitive dependencies that create version conflicts.  (This implies some dependencies might need to be upgraded, and some even downgraded, to align versions of direct and transitive dependencies.)</p>

<h4>Version</h4>

<p>Commit <a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/bisq-network/bisq/commit/17bb7b4ba6f35ea29032293000582b31aed76ddf/hovercard" href="https://github.com/bisq-network/bisq/commit/17bb7b4ba6f35ea29032293000582b31aed76ddf"><tt>17bb7b4</tt></a></p>

<h3>Steps to reproduce</h3>

<p>Build Bisq and see multiple versions of some jars in the lib dir.</p>

<h3>Expected behaviour</h3>

<p>There should not be any version conflicts, and every jar needs to be verified by the gradle-witness.gradle file.</p>

<h3>Actual behaviour</h3>

<p>There are several transitive dependencies downloaded during the build that conflict with direct dependencies specified in gradle.build, and they are not being verified by gradle-witness.  For example, here are duplicate jars with the letters 'grpc' in their name:</p>

<pre><code>grpc-context-1.10.1.jar

grpc-context-1.25.0.jar

grpc-core-1.10.1.jar

grpc-core-1.25.0.jar

grpc-netty-shaded-1.10.1.jar

grpc-netty-shaded-1.25.0.jar

grpc-protobuf-1.10.1.jar

grpc-protobuf-1.25.0.jar

grpc-protobuf-lite-1.10.1.jar

grpc-protobuf-lite-1.25.0.jar

grpc-stub-1.10.1.jar

grpc-stub-1.25.0.jar

opencensus-contrib-grpc-metrics-0.11.0.jar

opencensus-contrib-grpc-metrics-0.21.0.jar

</code></pre>

<p>This may not be an urgent problem because the latest jar is loaded at runtime. However, that also means that a transitive dependency with a larger version than is specified in the build file is loaded, not the jar which has passed gradle witness verification.  For example:  the build file specifies</p>

<pre><code>slf4jVersion = '1.7.22'

</code></pre>

<p>but</p>

<pre><code>lsof -Pan -p $(pgrep -f BisqAppMain)        ( on linux )

</code></pre>

<p>shows me that the transitive dependency slf4j-api-1.7.25.jar is being loaded instead.</p>

<p>Maybe building the shipped, shaded jar eliminates most of this problem, but it's already eaten a good bit of my time trying to figure out why the grpc jar version conflicts I described above exist.</p>


<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/bisq-network/bisq/issues/4086">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AJFFTNSHWWE53747DFKFVH3RIU3BNANCNFSM4LRCC2RQ">unsubscribe</a>.<img src="https://github.com/notifications/beacon/AJFFTNV7LZFAZM2CYS2RT4TRIU3BNA5CNFSM4LRCC2R2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IXHO4HQ.gif" height="1" width="1" alt="" /></p>

<script type="application/ld+json">[

{

"@context": "http://schema.org",

"@type": "EmailMessage",

"potentialAction": {

"@type": "ViewAction",

"target": "https://github.com/bisq-network/bisq/issues/4086",

"url": "https://github.com/bisq-network/bisq/issues/4086",

"name": "View Issue"

},

"description": "View this Issue on GitHub",

"publisher": {

"@type": "Organization",

"name": "GitHub",

"url": "https://github.com"

}

}

]</script>