-
-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add BOM / dependency management support #3924
Conversation
Sir @alexarchambault, will this add bom support for jetpack compose libs also? |
If it only relies on a "BOM", that should yes. But this PR isn't about the Gradle module metadata stuff, that was mentioned too in one of your PRs. |
Actually i think this will work(not sure) lets see after it gets merged then i will try this once |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't we need to take transitive bomDeps
into account? In it's current draft, bomDeps
is only used intransitively.
As a rule of thumb, transitive moduleDeps
should behave the same as transitive ivyDeps
. If an upstream dependency import a BOM and that BOM is considered by coursier when resolving dependencies, it should also work, if that upstream dependency is a local module.
@lefou Yes, that's what I meant by "make things working for multi-module projects". In the ITs, I intend to publish locally things in a directory, and check that resolution by coursier of stuff published locally gives the same class path as Mill computes internally. |
Conflicts: build.mill
Conflicts: scalalib/src/mill/scalalib/PublishModule.scala scalalib/src/mill/scalalib/publish/Pom.scala
This comment was marked as outdated.
This comment was marked as outdated.
2843192
to
067d84d
Compare
This comment was marked as outdated.
This comment was marked as outdated.
If this is gone, do we still support |
// | ||
// Also, by default, grpc-protobuf `1.67.1` pulls version `3.25.3` of protobuf-java (`com.google.protobuf:protobuf-java`) . | ||
// But the BOM specifies another version for that dependency, `4.28.3`, so | ||
// protobuf-java `4.28.3` ends up being pulled here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should mention what happens if there are multiple bomDeps
and how overlaps and resolved. You mentioned it in the PR discussion, but it should be included in the docs since people will want to know
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also we should include
If users specify both bomDeps and dependencyManagement, versions from the latter ought to be picked, but I'd like to check that and add non-regression tests for it.
Versions from dependencyManagement should be picked IMO, so that things are consistent with ivyDeps: if a version is in ivyDeps, we use this one. Else the one from dependencyManagement. Else the one obtained via bomDeps. The version "specified the closest" to the ivyDeps wins.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For exclusions, all exclusions from all BOMs added to a dependency are added.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For exclusions, all exclusions from all BOMs added to a dependency are added.
Adding that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also we should include
If users specify both bomDeps and dependencyManagement, versions from the latter ought to be picked, but I'd like to check that and add non-regression tests for it.
Versions from dependencyManagement should be picked IMO, so that things are consistent with ivyDeps: if a version is in ivyDeps, we use this one. Else the one from dependencyManagement. Else the one obtained via bomDeps. The version "specified the closest" to the ivyDeps wins.
For those, I'm going to add them in a subsequent PR. I wrote tests locally to assert that, and they don't pass (yet). That might need changes in coursier. I'd merge the PR here and leave that behavior unspecified for a (short) amount of time.
example/fundamentals/library-deps/bom-2-dependency-management/build.mill
Outdated
Show resolved
Hide resolved
Some minor comments. I didn't review the code changes in detail, but I expect the existing and new test suites should give us confidence that things work |
@lefou I'm planning on merging this once the next round of review updates is done, so take a look if you have time |
* ) | ||
* }}} | ||
*/ | ||
def dependencyManagement: T[Agg[Dep]] = Task { Agg.empty[Dep] } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we name this def depManagement
? We use deps
/Deps
throughout the rest of the codebase, so this would make the API a bit more consistent
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
depMgmt
could work too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Went for depManagement
for now
That's unsupported. Users have to explicitly override |
I don't think there is any (valid) use case for that. The only I could imagine is a user trying to produce |
Not really sure what the exact use case would be either, TBH |
Should help in subsequent PRs
This looks great, thanks @alexarchambault! Looking forward to the follow ups. I also chatted with the Bazel folks and they seem pretty interested in making use of the new BOM support in Coursier! |
So, I did take a look, I also commented and there were open unresolved remarks but this was merged anyways. I don't think we should compromise consistency for quickly merging features. It looks like the whole Scala build tool community seem to be interested in BOM support, so we should also try to find a nice user experience. It's technically complicated enough. The inconsistent empty version vs. |
I thought the resolution was that |
Thanks. This is a complex issue after all. The Although we don't accept a |
@alexarchambault how hard would it be to tweak the coursier parser upstream to allow |
Having a look, to me the main point of Admittedly, the |
This adds tests to ensure the versions in `JavaModule#depManagement` have precedence over those coming via `JavaModule#bomDeps`. The tests fail for now (might need changes in coursier…) Includes #3924 for now
This PR adds support for user-specified BOMs and dependency management in Mill.
BOM support allows users to pass the coordinates of an existing Maven "Bill of Material" (BOM), such as this one, that contains versions of dependencies, meant to override those pulled during dependency resolution. (They can also add exclusions to dependencies.)
It also allows users to specify the coordinates of a parent POM, which are taken into account just like a BOM:
(in line with
PublishModule#pomParentProject
that's been added recently)It allows users to specify "dependency management", which act like the dependencies listed in a BOM: versions in dependency management override those pulled transitively during dependency resolution, and exclusions in its dependencies are added to the same dependencies during dependency resolution.
BOM and dependency management also allow for "placeholder" versions: users can use
_
as version in theirivyDeps
, and the version of that dependency will be picked either in dependency management or in BOMs:A tricky aspect of that PR is that details about BOMs and dependency management have to be passed around via several paths:
moduleDeps
: BOMs and dependency management of module dependencies have to be applied to the dependencies of the module they come fromto transitive modules pulled via(worked out-of-the-box with the previous point, viamoduleDeps
: BOMs and dependency management of a module dependency have to be applied to the dependencies of modules they pull transitively (if A depends on B and B depends on C, from A, the BOMs and dep mgmt of B apply to C's dependencies too)transitiveIvyDeps
)ivy.xml
: when publishing to Ivy repositories (like duringpubishLocal
), BOMs and dep mgmt details need to be written in theivy.xml
file, so that they're taken into account when resolving that module from the Ivy repoFixes #1975