2.5.2 Release Breaking Upstream Dependencies #240
Comments
|
I see the maven metadata's xml, that's indeed only one version, but normally we will update this file during release. the versions should have many. Is there any broken during maven central migrate? @UrielCh <metadata>
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
<versioning>
<latest>2.5.2</latest>
<release>2.5.2</release>
<versions>
<version>2.5.2</version>
</versions>
<lastUpdated>20250212044256</lastUpdated>
</versioning>
</metadata> |
|
Same issue found after 2.5.2 released - |
Same issue here |
|
It seems that artifact metadata announce version |
|
Please help resolve |
The dependency is available in Maven Central, see: https://repo.maven.apache.org/maven2/net/minidev/json-smart/ The issue - as @hezhangjian already mentioned - that the version history is missing in the maven-metadata.xml. |
https://repo.maven.apache.org/maven2/net/minidev/json-smart/maven-metadata.xml Before the bug is fixed, you can manually add the versions to local <?xml version="1.0" encoding="UTF-8"?>
<metadata>
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
<versioning>
<latest>2.5.2</latest>
<release>2.5.2</release>
<versions>
<version>2.5.2</version>
<version>2.5.1</version>
<version>2.5.0</version>
<version>2.4.11</version>
<version>2.4.10</version>
<version>2.4.9</version>
<version>2.4.8</version>
<version>2.4.7</version>
<version>2.4.6</version>
<version>2.4.5</version>
<version>2.4.4</version>
<version>2.4.2</version>
<version>2.4.1</version>
<version>2.3.1</version>
<version>2.3</version>
<version>2.2.1</version>
<version>2.2</version>
<version>2.1.1</version>
<version>2.1.0</version>
<version>2.0</version>
<version>2.0-RC3</version>
<version>2.0-RC2</version>
<version>2.0-RC1</version>
<version>1.3.3</version>
<version>1.3.2</version>
<version>1.3.1</version>
<version>1.3</version>
<version>1.2</version>
<version>1.1.1</version>
<version>1.1</version>
<version>1.0.9-1</version>
<version>1.0.9</version>
<version>1.0.8</version>
<version>1.0.6.3</version>
</versions>
<lastUpdated>20250212044256</lastUpdated>
</versioning>
</metadata> |
Yeah, true, now it shows for me as well. Probably browser cache issue. Thanks! |
|
here's a more complete list; versions from https://mvnrepository.com/artifact/net.minidev/json-smart |
As an alternative you can provide artifact of required version from local repository, it will resolve version discovery issue. For Gradle: repositories {
mavenCentral()
flatDir {
dirs 'libs'
}
} |
|
@hezhangjian by when can this be fixed, this is causing build issues on our production codebase. |
|
If you want a quick fix now you can use dependencyManagement. This is best practice anyway to make sure your dependency tree is a little more deterministic and reproducible: <dependencyManagement>
<dependencies>
<dependency>
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
<version>2.5.2</version>
</dependency>
</dependencies>
</dependencyManagement>I am not completely sure if this is best practice but it does the trick in gradle for me And also Edit: |
|
@ArloL that works but not if you run mvn dependency:go-offline, which will try to download an older version even if you specified the latest one with the dependencyManagement. |
|
We changed maven-metadata.xml in our artifactory to have the correct format, as seen above, this seems to be a temporary fix |
|
It looks like a bug in the process that writes the metadata file. If that is a systematic problem in Sonatype's software we will have a big problem today. |
|
Temporary fix that installs into a local repository the required version of the library for wget https://repo.maven.apache.org/maven2/net/minidev/json-smart/2.3/json-smart-2.3.jar
wget https://repo.maven.apache.org/maven2/net/minidev/json-smart/2.3/json-smart-2.3.pom
mvn install:install-file -Dfile=json-smart-2.3.jar -DpomFile=json-smart-2.3.pom |
|
Cross referencing the same issue reported on StackOverflow https://stackoverflow.com/a/77851892/16201869 |
I can reproduce, @cbertoldi. That seems like a bug in maven-dependency-plugin. It looks like go-offline has a few related issues. qaware/go-offline-maven-plugin seems to work for my reproduction with |
|
Thanks @ArloL, I saw those tickets as well, I am a bit skeptical though about introducing a plugin that does not seem to be actively maintained, the last release is from 2020. |
|
Can I do anythink about that ? |
|
@UrielCh Presumably you used Sonatype to publish to Maven Central, which should generate the metadata-file for you. To me it looks like a bug on their side. |
|
I'm facing the same issue while installing Azure libraries in Databricks, Did anyone solved it??
|
It works for me in a Gradle build. I couldn't know where is the |
Force resolution to an available version. netplex/json-smart-v2#240
|
To try and fix these issues once and for all, I'm starting the final migration from s01.oss.sonatype.org to central.sonatype.com, so I won't have to do it again in 5 or 10 years.
|
|
Sent a small sponsorship payment to @UrielCh. Least I can do when you to have to deal with this |
|
@UrielCh So then from s01.oss.sonatype.org will it become central.sonatype.com? Need a helping hand? Thank you |
|
I discovered that 2.5.2 isn't the only version available, but it is the only version in the metadata, so if you specify an older version exactly it will work, it's only if you are using a range it fails, so the spring dependency I am on (old version) has [1.3,2.3] range. Using @ArloL's fix I was able to build with: |
Add version contraint ensuring that we are always using the 2.3 version for json-smart. There is a transitive dependecy to json-smart from the piglet module with a version range [1.3.1,2.3]: project :piglet > org.apache.hadoop:hadoop-common:2.10.2 > org.apache.hadoop:hadoop-auth:2.10.2 > com.nimbusds:nimbus-jose-jwt:7.9 The maven-metadata.xml of json-smart in Maven central [1] is used to resolve version ranges. After the 2.5.2 relase of json-smart [2] the previous versions were removed from the metadata file leading to failures in the resolution of ranged versions. Using a version constraint by-passes the ranged version problem and improves build stability. [1] https://repo.maven.apache.org/maven2/net/minidev/json-smart/maven-metadata.xml [2] netplex/json-smart-v2#240
|
@ArloL I specified the maximum version allowed by the library that imports "json-smart" in my build.gradle, so I don't get any more error at build time. Thank you |
Exactly, it works for me, When quote the extact version, and exclude this depdnency from the other referred dependencies, like msl4j, springOAuth etc., |
I can confirm this: I have an SBT project with the dependency line If I delete this line and remove This suggests yet another workaround to investigate: add MuleSoft to your list of resolvers. |
I believe this is done to provide all versions in the maven central, but how much time it takes to publish? Build is still failing for me. |
|
Have people been able to verify for sure this new release fixes the CVE? My snyk scan is still showing the the vuln exists for this version but i'm presuming that is likely due to snyk not being fully up-to-date with the patch version. |
|
I am seeing all the versions at https://repo.maven.apache.org/maven2/net/minidev/json-smart/maven-metadata.xml now. I just took out the |
|
It's published now and working for us. No change done at our end. |
|
|
|
Thanks for the quick turnaround @hezhangjian and @UrielCh - much appreciated! |
and others
(Extracted from #236 (comment))
Is it correct that 2.5.2 is supposed to be the only version specified in https://repo.maven.apache.org/maven2/net/minidev/json-smart/maven-metadata.xml ?
This is breaking some upstream dependencies, namely
oauth2-oidc-sdkwhich has this in its POM:transitive via
io.kubernetes:client-javaThe text was updated successfully, but these errors were encountered: