Comments (7)
That changelog item says that they changed utils.VersionUtils, which is not something that is referenced by the Java SDK, so I see no reason why you shouldn't be able to use a newer version.
LaunchDarkly is not the only library in my application that's using gson. I'm using other things that also use gson. protobuf (an indirect dependency of ours through some Google Cloud libraries we're using for BigQuery), for example, also uses gson. I can test that my own code doesn't call the affected methods, but it's going to be very difficult to tell if (at runtime) some part of some other library is going to want to call one of the affected methods. So it's best if I can allow my dependencies to specify their desired version of their dependencies.
Also, is there a reason you can't use the "all" distribution that bundles Gson and SLF4j?
The "all" distribution bundles gson and slf4j without shading them. The bundled version of slf4j is incompatible with our application, resulting in ClassCastExceptions.
from java-server-sdk.
@rkennedy-mode We've released version 4.10.1 which should fix the scope problem; the question about dependency ranges is something that we can revisit separately.
from java-server-sdk.
This is causing us active pain at the moment as we're having to manually manage which version of gson being used. dependabot then happily tells us it's behind v.latest and unhelpfully offers to upgrade us to gson v.latest, which potentially introduces a backwards incompatible change (see v2.8.5).
Compile fails even if you're not referencing any gson classes. Our code calls LDUser.Builder.custom(String, String)
but the compiler complains because there's another version of that method that takes a gson JsonElement
: LDUser.Builder.custom(String, JsonElement)
.
from java-server-sdk.
Could you say more about what you mean by "potentially introduces a backwards incompatible change"? That changelog item says that they changed utils.VersionUtils
, which is not something that is referenced by the Java SDK, so I see no reason why you shouldn't be able to use a newer version. Since the SDK uses a fairly limited subset of Gson functionality and always uses it in the same ways, you should be able to tell right away whether there is actually a problem.
I know we still need to fix the dependency scopes, I'm just trying to understand why the current workaround is such a problem.
from java-server-sdk.
Also, is there a reason you can't use the "all" distribution that bundles Gson and SLF4j?
from java-server-sdk.
I believe we now know how to fix this. Apologies for the delay— we wasted a lot of time on the assumption that we were using the Shadow plugin incorrectly, but it seems like this is actually a known issue in Shadow and just has to be worked around. And then it fell off of our radar at some point last year because no one else had mentioned it. We should have a release with the fix shortly.
A related question: would it be better for the dependency to specify a range like [2.7,3.0)
rather than the current specific version? The SDK should not care if another library prefers a later version of Gson as long as it's in the same major version. The only reason I'm hesitating to make that change is that then we would probably need to have a separate build for the "all" jar (the one that bundles Gson), retaining a specific version dependency there, because otherwise we would not have a reproducible build of that distribution.
from java-server-sdk.
Thanks for the fast turnaround, Eli!
from java-server-sdk.
Related Issues (20)
- Launch Darkly Metrics conflating Version numbers. HOT 3
- Getting numerous Error posting diagnostic event (giving up permanently): HTTP error 401 (invalid SDK key) HOT 2
- Synk reports the low version of okHttp3 dependency HOT 3
- Vulnerability in snakeyaml HOT 3
- LaunchDarkly Client initialing failed even add LaunchDarkly Certificate to java key store. HOT 9
- Add shaded libraries as dependencies to `-thin` jar HOT 2
- `isInitialized` & `dataStore.isInitialized()` HOT 3
- Please provide ability to `LDClient` in non-blocking manner HOT 4
- fat jar brings in duplicate copy of `launchdarkly-logging` HOT 3
- Allow lazily computed defaultValues in LDClient to improve code readability HOT 6
- java-server-sdk is vulnerable to CVE-2022-1471 RCE HOT 3
- Builder object is not exist in V6 but is taken as an example in the docs HOT 6
- Evaluation can throw when the same segment is used in multiple rules within a single flag HOT 6
- StreamClosedByServerException: Stream closed by server HOT 13
- Vulnerability CVE-2022-1471 is introduced via SnakeYaml 1.32. Upgrading to 2.0 should fix it. HOT 3
- Have a robust in memory datastore fallback when the persistent data store connection is not working HOT 2
- update to guava 32.0.0 to resolve CVE-2023-2976 HOT 6
- ApiException.getMessage throws NullPointerException when IOException occurs HOT 1
- Stream continuously reset HOT 2
- Support for use of java-server-sdk library in GraalVM native image applications HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from java-server-sdk.