Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Netty 4.1.64+ netty-all package does not upgrade transitive deps of netty-* packages

See original GitHub issue

Expected behavior

When building with gradle, with the netty-all package, any netty-* transitive dependencies should get upgraded to the version of netty-all.

Actual behavior

Starting with netty 4.1.64, a mix of netty versions become present on the runtime classpath.

runtimeClasspath - Runtime classpath of source set 'main'.
...
+--- com.impossibl.pgjdbc-ng.tools:udt-gen:0.8.8
|    +--- com.impossibl.pgjdbc-ng:pgjdbc-ng:0.8.8
|    |    +--- com.impossibl.pgjdbc-ng:spy:0.8.8
|    |    +--- io.netty:netty-common:4.1.63.Final
|    |    +--- io.netty:netty-buffer:4.1.63.Final
|    |    |    \--- io.netty:netty-common:4.1.63.Final
|    |    +--- io.netty:netty-transport:4.1.63.Final
|    |    |    +--- io.netty:netty-common:4.1.63.Final
|    |    |    +--- io.netty:netty-buffer:4.1.63.Final (*)
|    |    |    \--- io.netty:netty-resolver:4.1.63.Final
|    |    |         \--- io.netty:netty-common:4.1.63.Final
|    |    +--- io.netty:netty-codec:4.1.63.Final
|    |    |    +--- io.netty:netty-common:4.1.63.Final
|    |    |    +--- io.netty:netty-buffer:4.1.63.Final (*)
|    |    |    \--- io.netty:netty-transport:4.1.63.Final (*)
|    |    +--- io.netty:netty-handler:4.1.63.Final
|    |    |    +--- io.netty:netty-common:4.1.63.Final
|    |    |    +--- io.netty:netty-resolver:4.1.63.Final (*)
|    |    |    +--- io.netty:netty-buffer:4.1.63.Final (*)
|    |    |    +--- io.netty:netty-transport:4.1.63.Final (*)
|    |    |    \--- io.netty:netty-codec:4.1.63.Final (*)
|    |    +--- io.netty:netty-transport-native-unix-common:4.1.63.Final
|    |    |    +--- io.netty:netty-common:4.1.63.Final
|    |    |    +--- io.netty:netty-buffer:4.1.63.Final (*)
|    |    |    \--- io.netty:netty-transport:4.1.63.Final (*)
|    |    +--- io.netty:netty-transport-native-kqueue:4.1.63.Final
|    |    |    +--- io.netty:netty-common:4.1.63.Final
|    |    |    +--- io.netty:netty-buffer:4.1.63.Final (*)
|    |    |    +--- io.netty:netty-transport:4.1.63.Final (*)
|    |    |    \--- io.netty:netty-transport-native-unix-common:4.1.63.Final (*)
|    |    \--- io.netty:netty-transport-native-epoll:4.1.63.Final
|    |         +--- io.netty:netty-common:4.1.63.Final
|    |         +--- io.netty:netty-buffer:4.1.63.Final (*)
|    |         +--- io.netty:netty-transport:4.1.63.Final (*)
|    |         \--- io.netty:netty-transport-native-unix-common:4.1.63.Final (*)
...
\--- project :<name censored>
     +--- project :<name censored>
...
     +--- io.netty:netty-all:4.1.67.Final
    ...

Steps to reproduce

See: https://github.com/tlf30/netty-test-1

Netty version

4.1.64+

JVM version (e.g. java -version)

openjdk version "14.0.1" 2020-04-14

OS version (e.g. uname -a)

Microsoft Windows 11 Pro Insider Preview
Version	10.0.22449 Build 22449

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
normanmaurercommented, Oct 5, 2021
0reactions
tlf30commented, Sep 6, 2021

While in this small example that is possible, but when dealing with many libraries adding hundreds of exclusions is not a maintainable option. If netty-all was only a pom artifact this would not be an issue. Take note of how groovy does their groovy-all package, it does not have this problem.

Read more comments on GitHub >

github_iconTop Results From Across the Web

netty dependency brings old version - Stack Overflow
netty dependency version is 4.1.63. Any idea what can be the reason for having this dependencies bring older versions of transitive dependencies ......
Read more >
Releasing new version - Netty.docs
The release procedure is currently a mix of executing a GitHub Action workflow and running a few scripts to finish the release process...
Read more >
io.netty:netty-all | Maven - Open Source Insights
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers ...
Read more >
Java - HTTP Request Smuggling - Veracode - SourceClear
netty -codec-http is vulnerable to HTTP request smuggling. The library does not properly validate duplicate `Content-Length` header fields and the `Transport- ...
Read more >
Authentication
JDK versions prior to Java 9 do not support ALPN and are either missing ... Users of grpc-netty-shaded will automatically use netty-tcnative with...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[Netty 5] Remove ReplayingDecoder

Next page

Compilation failure