Netty 4.1.64+ netty-all package does not upgrade transitive deps of netty-* packages
See original GitHub issueExpected behavior
When building with gradle, with the netty-all
package, any netty-*
transitive dependencies should get upgraded to the version of netty-all.
Actual behavior
Starting with netty 4.1.64, a mix of netty versions become present on the runtime classpath.
runtimeClasspath - Runtime classpath of source set 'main'.
...
+--- com.impossibl.pgjdbc-ng.tools:udt-gen:0.8.8
| +--- com.impossibl.pgjdbc-ng:pgjdbc-ng:0.8.8
| | +--- com.impossibl.pgjdbc-ng:spy:0.8.8
| | +--- io.netty:netty-common:4.1.63.Final
| | +--- io.netty:netty-buffer:4.1.63.Final
| | | \--- io.netty:netty-common:4.1.63.Final
| | +--- io.netty:netty-transport:4.1.63.Final
| | | +--- io.netty:netty-common:4.1.63.Final
| | | +--- io.netty:netty-buffer:4.1.63.Final (*)
| | | \--- io.netty:netty-resolver:4.1.63.Final
| | | \--- io.netty:netty-common:4.1.63.Final
| | +--- io.netty:netty-codec:4.1.63.Final
| | | +--- io.netty:netty-common:4.1.63.Final
| | | +--- io.netty:netty-buffer:4.1.63.Final (*)
| | | \--- io.netty:netty-transport:4.1.63.Final (*)
| | +--- io.netty:netty-handler:4.1.63.Final
| | | +--- io.netty:netty-common:4.1.63.Final
| | | +--- io.netty:netty-resolver:4.1.63.Final (*)
| | | +--- io.netty:netty-buffer:4.1.63.Final (*)
| | | +--- io.netty:netty-transport:4.1.63.Final (*)
| | | \--- io.netty:netty-codec:4.1.63.Final (*)
| | +--- io.netty:netty-transport-native-unix-common:4.1.63.Final
| | | +--- io.netty:netty-common:4.1.63.Final
| | | +--- io.netty:netty-buffer:4.1.63.Final (*)
| | | \--- io.netty:netty-transport:4.1.63.Final (*)
| | +--- io.netty:netty-transport-native-kqueue:4.1.63.Final
| | | +--- io.netty:netty-common:4.1.63.Final
| | | +--- io.netty:netty-buffer:4.1.63.Final (*)
| | | +--- io.netty:netty-transport:4.1.63.Final (*)
| | | \--- io.netty:netty-transport-native-unix-common:4.1.63.Final (*)
| | \--- io.netty:netty-transport-native-epoll:4.1.63.Final
| | +--- io.netty:netty-common:4.1.63.Final
| | +--- io.netty:netty-buffer:4.1.63.Final (*)
| | +--- io.netty:netty-transport:4.1.63.Final (*)
| | \--- io.netty:netty-transport-native-unix-common:4.1.63.Final (*)
...
\--- project :<name censored>
+--- project :<name censored>
...
+--- io.netty:netty-all:4.1.67.Final
...
Steps to reproduce
See: https://github.com/tlf30/netty-test-1
Netty version
4.1.64+
JVM version (e.g. java -version
)
openjdk version "14.0.1" 2020-04-14
OS version (e.g. uname -a
)
Microsoft Windows 11 Pro Insider Preview
Version 10.0.22449 Build 22449
Issue Analytics
- State:
- Created 2 years ago
- Comments:7 (4 by maintainers)
Top Results From Across the Web
netty dependency brings old version - Stack Overflow
netty dependency version is 4.1.63. Any idea what can be the reason for having this dependencies bring older versions of transitive dependencies ......
Read more >Releasing new version - Netty.docs
The release procedure is currently a mix of executing a GitHub Action workflow and running a few scripts to finish the release process...
Read more >io.netty:netty-all | Maven - Open Source Insights
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers ...
Read more >Java - HTTP Request Smuggling - Veracode - SourceClear
netty -codec-http is vulnerable to HTTP request smuggling. The library does not properly validate duplicate `Content-Length` header fields and the `Transport- ...
Read more >Authentication
JDK versions prior to Java 9 do not support ALPN and are either missing ... Users of grpc-netty-shaded will automatically use netty-tcnative with...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
This should be fixed by https://github.com/netty/netty/pull/11732
While in this small example that is possible, but when dealing with many libraries adding hundreds of exclusions is not a maintainable option. If
netty-all
was only a pom artifact this would not be an issue. Take note of how groovy does theirgroovy-all
package, it does not have this problem.