JJWT 依赖混淆

huangapple go评论155阅读模式
英文:

JJWT dependency confusion

问题

这是项目的POM.xml文件中的一部分内容,其中涉及到依赖管理和版本控制。有一个名为"jjwt"的依赖项,它的版本号在不同地方有不同的设置。你提到不在https://github.com/jwtk/jjwt 上看到"jjwt"的提及,但它可能在https://mvnrepository.com/artifact/io.jsonwebtoken 上可以找到相关信息。这个问题可能需要查看项目的具体文档或与项目开发者进行交流以了解更多详情。

英文:

I inherited a java project that has this in the POM.xml:

<properties>
    <jjwt.version>0.11.1</jjwt.version>
</properties>

// from https://github.com/jwtk/jjwt#maven
<dependency>
	<groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-api</artifactId>
    <version>${jjwt.version}</version>
</dependency>
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-impl</artifactId>
    <version>${jjwt.version}</version>
    <scope>runtime</scope>
</dependency>
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-jackson</artifactId> <!-- or jjwt-gson if Gson is preferred -->
    <version>${jjwt.version}</version>
    <scope>runtime</scope>
</dependency>

// what is this "jjwt" dep, and why might it be using a different version?
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt</artifactId>
    <version>0.9.1</version> 
</dependency>

what is this "jjwt" dep, and why might it be using a different version?

I don't see any mention of it at https://github.com/jwtk/jjwt

but it is here: https://mvnrepository.com/artifact/io.jsonwebtoken

答案1

得分: 9

在JJWT版本0.10.0之前,API和实现都打包为一个单独的构件,名称为io.jsonwebtoken:jjwt

从版本0.10.0开始,API和实现分为两个不同的构件。

JJWT发布说明,版本0.10.0中摘录:

JJWT的新模块化设计利用编译和运行时依赖项之间的区别,以确保您仅依赖于在应用程序中安全使用的公共API。所有内部/私有实现类已移至新的jjwt-impl运行时依赖项。

如果您过去依赖于任何内部实现类,您有两个选择:

  • 重构您的代码以使用jjwt-api .jar中的仅公共API类和接口。您可能以前在内部实现中使用的任何功能应该通过该.jar中的更新更清晰的接口和辅助类提供。

  • 将新的jjwt-impl .jar指定为编译依赖项而不是运行时依赖项。这将使您的升级到JJWT 0.10.0完全向后兼容,但您要自担风险。 JJWT将不再在jjwt-impl .jar中提供语义版本兼容性保证。然而,在所有其他JJWT依赖项中,语义版本控制将被非常谨慎地遵守。


我猜测您的项目团队可能没有完成从JJWT <= 0.9到JJWT >= 0.10的升级。

英文:

Prior to the JJWT version 0.10.0, both the API and the implementation were packaged as a single artifact, io.jsonwebtoken:jjwt.

Starting with version 0.10.0, API and implementation were split in two different artifacts.

An excerpt from the JJWT Release Notes, version 0.10.0:

> JJWT's new modular design utilizes distinctions between compile and runtime dependencies to ensure you only depend on the public APIs that are safe to use in your application. All internal/private implementation classes have been moved to a new jjwt-impl runtime dependency.
>
> If you depended on any internal implementation classes in the past, you have two choices:
>
> * Refactor your code to use the public-only API classes and interfaces in the jjwt-api .jar. Any functionality you might have used in the internal implementation should be available via newer cleaner interfaces and helper classes in that .jar.
>
> * Specify the new jjwt-impl .jar not as a runtime dependency but as a compile dependency. This would make your upgrade to JJWT 0.10.0 fully backwards compatible, but you do so at your own risk. JJWT will make NO semantic version compatibility guarantees in the jjwt-impl .jar moving forward. Semantic versioning will be very carefully adhered to in all other JJWT dependencies however.


My guess is that your project's team just didn't finish upgrade from JJWT <= 0.9 to JJWT >= 0.10.

huangapple
  • 本文由 发表于 2020年8月11日 03:18:17
  • 转载请务必保留本文链接:https://go.coder-hub.com/63346655.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定