英文:

Quarkus enforcedplatform BOM in build.gradle.kts breaks added dependency

问题

我已添加依赖项 implementation("com.netflix.conductor:conductor-client:3.13.8") 到我的 Quarkus 项目中。但是 enforcedPlatform("${quarkusPlatformGroupId}:${quarkusPlatformArtifactId}:${quarkusPlatformVersion}") 破坏了 conductor-client 的传递依赖关系。我查看了 Gradle 文档，他们建议使用 exclude，但在我的情况下 exclude 没有起作用。

构建 Gradle 文件：

plugins {
    kotlin("jvm") version "1.8.22"
    kotlin("plugin.allopen") version "1.8.22"
    id("io.quarkus")
}
    
repositories {
    mavenCentral()
    mavenLocal()
}
    
val quarkusPlatformGroupId: String by project
val quarkusPlatformArtifactId: String by project
val quarkusPlatformVersion: String by project
val ktor_version: String by project
    
dependencies {
    implementation(enforcedPlatform("${quarkusPlatformGroupId}:${quarkusPlatformArtifactId}:${quarkusPlatformVersion}"))
    implementation("io.quarkus:quarkus-picocli")
    implementation("io.quarkus:quarkus-kotlin")
    implementation("org.jetbrains.kotlin:kotlin-stdlib-jdk8")
    implementation("io.quarkus:quarkus-arc")
    implementation("io.ktor:ktor-client-cio-jvm:2.3.3")
    testImplementation("io.quarkus:quarkus-junit5")
    implementation("io.ktor:ktor-client-core:$ktor_version")
    implementation("io.ktor:ktor-client-cio:$ktor_version")
    // https://mvnrepository.com/artifact/com.netflix.conductor/conductor-client
    implementation("com.netflix.conductor:conductor-client:3.13.8")
}
    
group = "io.my1795"
version = "1.0.0-SNAPSHOT"
    
java {
    sourceCompatibility = JavaVersion.VERSION_17
    targetCompatibility = JavaVersion.VERSION_17
}
   
tasks.withType<Test> {
    systemProperty("java.util.logging.manager", "org.jboss.logmanager.LogManager")
}
allOpen {
    annotation("jakarta.ws.rs.Path")
    annotation("jakarta.enterprise.context.ApplicationScoped")
    annotation("io.quarkus.test.junit.QuarkusTest")
}
    
tasks.withType<org.jetbrains.kotlin.gradle.tasks.KotlinCompile> {
    kotlinOptions.jvmTarget = JavaVersion.VERSION_17.toString()
    kotlinOptions.javaParameters = true
}

在 quarkusBuild 后出现错误：

11:29:08 AM: Executing 'quarkusBuild'...

> Task :processResources UP-TO-DATE
> Task :quarkusGenerateCode FAILED

Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

See https://docs.gradle.org/8.1.1/userguide/command_line_interface.html#sec:command_line_warnings
2 actionable tasks: 1 executed, 1 up-to-date

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':quarkusGenerateCode'.
> Could not resolve all files for configuration ':quarkusProdBaseRuntimeClasspathConfiguration'.
   > Could not resolve org.apache.logging.log4j:log4j-api:2.20.0.
     Required by:
         project : > io.quarkus.platform:quarkus-bom:3.2.3.Final
      > Cannot find a version of 'org.apache.logging.log4j:log4j-api' that satisfies the version constraints:
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-api:{strictly 2.17.2}'
           Constraint path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'io.quarkus.platform:quarkus-bom:3.2.3.Final' (enforced-platform-runtime) --> 'org.apache.logging.log4j:log4j-api:2.20.0'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-core:2.17.2' (runtime) --> 'org.apache.logging.log4j:log4j-api:2.17.2'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.2' (runtime) --> 'org.apache.logging.log4j:log4j-api:2.17.2'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-jul:2.17.2' (runtime) --> 'org.apache.logging.log4j:log4j-api:2.17.2'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-web:2.17.2' (runtime) --> 'org.apache.logging.log4j:log4j-api:2.17.2'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'com.netflix.conductor:conductor-common:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-api:{strictly 2.17.2}'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'com.netflix.conductor:conductor-common:3.13.8' (runtimeElements) --> 'com.netflix.conductor:conductor-annotations:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-api:{strictly 2.17.2}'

   > Could not resolve org.apache.logging.log4j:log4j-api:{strictly 2.17.2

<details>
<summary>英文:</summary>

I have added a dependecny `implementation(&quot;com.netflix.conductor:conductor-client:3.13.8&quot;)` 
for my quarkus project. However `enforcedPlatform(&quot;${quarkusPlatformGroupId}:${quarkusPlatformArtifactId}:${quarkusPlatformVersion}&quot;)` breaks transitive dependency of conductor-client. I looked at gradle documentation, They suggest to use exclude but exclude did not work in my case 

**Build Gradle File:** 
```kts
plugins {
    kotlin(&quot;jvm&quot;) version &quot;1.8.22&quot;
    kotlin(&quot;plugin.allopen&quot;) version &quot;1.8.22&quot;
    id(&quot;io.quarkus&quot;)
}
    
repositories {
    mavenCentral()
    mavenLocal()
}
    
val quarkusPlatformGroupId: String by project
val quarkusPlatformArtifactId: String by project
val quarkusPlatformVersion: String by project
val ktor_version: String by project
    
dependencies {
    implementation(enforcedPlatform(&quot;${quarkusPlatformGroupId}:${quarkusPlatformArtifactId}:${quarkusPlatformVersion}&quot;))
    implementation(&quot;io.quarkus:quarkus-picocli&quot;)
    implementation(&quot;io.quarkus:quarkus-kotlin&quot;)
    implementation(&quot;org.jetbrains.kotlin:kotlin-stdlib-jdk8&quot;)
    implementation(&quot;io.quarkus:quarkus-arc&quot;)
    implementation(&quot;io.ktor:ktor-client-cio-jvm:2.3.3&quot;)
    testImplementation(&quot;io.quarkus:quarkus-junit5&quot;)
    implementation(&quot;io.ktor:ktor-client-core:$ktor_version&quot;)
    implementation(&quot;io.ktor:ktor-client-cio:$ktor_version&quot;)
    // https://mvnrepository.com/artifact/com.netflix.conductor/conductor-client
    implementation(&quot;com.netflix.conductor:conductor-client:3.13.8&quot;)
}
    
group = &quot;io.my1795&quot;
version = &quot;1.0.0-SNAPSHOT&quot;
    
    
    
java {
    sourceCompatibility = JavaVersion.VERSION_17
    targetCompatibility = JavaVersion.VERSION_17
}
   
tasks.withType&lt;Test&gt; {
    systemProperty(&quot;java.util.logging.manager&quot;, &quot;org.jboss.logmanager.LogManager&quot;)
}
allOpen {
    annotation(&quot;jakarta.ws.rs.Path&quot;)
    annotation(&quot;jakarta.enterprise.context.ApplicationScoped&quot;)
    annotation(&quot;io.quarkus.test.junit.QuarkusTest&quot;)
}
    
tasks.withType&lt;org.jetbrains.kotlin.gradle.tasks.KotlinCompile&gt; {
    kotlinOptions.jvmTarget = JavaVersion.VERSION_17.toString()
    kotlinOptions.javaParameters = true
}

Failure after quarkusBuild

11:29:08 AM: Executing 'quarkusBuild'...

> Task :processResources UP-TO-DATE
> Task :quarkusGenerateCode FAILED

Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

See https://docs.gradle.org/8.1.1/userguide/command_line_interface.html#sec:command_line_warnings
2 actionable tasks: 1 executed, 1 up-to-date

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':quarkusGenerateCode'.
> Could not resolve all files for configuration ':quarkusProdBaseRuntimeClasspathConfiguration'.
   > Could not resolve org.apache.logging.log4j:log4j-api:2.20.0.
     Required by:
         project : > io.quarkus.platform:quarkus-bom:3.2.3.Final
      > Cannot find a version of 'org.apache.logging.log4j:log4j-api' that satisfies the version constraints:
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-api:{strictly 2.17.2}'
           Constraint path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'io.quarkus.platform:quarkus-bom:3.2.3.Final' (enforced-platform-runtime) --> 'org.apache.logging.log4j:log4j-api:2.20.0'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-core:2.17.2' (runtime) --> 'org.apache.logging.log4j:log4j-api:2.17.2'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.2' (runtime) --> 'org.apache.logging.log4j:log4j-api:2.17.2'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-jul:2.17.2' (runtime) --> 'org.apache.logging.log4j:log4j-api:2.17.2'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-web:2.17.2' (runtime) --> 'org.apache.logging.log4j:log4j-api:2.17.2'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'com.netflix.conductor:conductor-common:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-api:{strictly 2.17.2}'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'com.netflix.conductor:conductor-common:3.13.8' (runtimeElements) --> 'com.netflix.conductor:conductor-annotations:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-api:{strictly 2.17.2}'

   > Could not resolve org.apache.logging.log4j:log4j-api:{strictly 2.17.2}.
     Required by:
         project : > com.netflix.conductor:conductor-client:3.13.8
         project : > com.netflix.conductor:conductor-client:3.13.8 > com.netflix.conductor:conductor-common:3.13.8
         project : > com.netflix.conductor:conductor-client:3.13.8 > com.netflix.conductor:conductor-common:3.13.8 > com.netflix.conductor:conductor-annotations:3.13.8
      > Cannot find a version of 'org.apache.logging.log4j:log4j-api' that satisfies the version constraints:
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-api:{strictly 2.17.2}'
           Constraint path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'io.quarkus.platform:quarkus-bom:3.2.3.Final' (enforced-platform-runtime) --> 'org.apache.logging.log4j:log4j-api:2.20.0'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-core:2.17.2' (runtime) --> 'org.apache.logging.log4j:log4j-api:2.17.2'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.2' (runtime) --> 'org.apache.logging.log4j:log4j-api:2.17.2'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-jul:2.17.2' (runtime) --> 'org.apache.logging.log4j:log4j-api:2.17.2'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-web:2.17.2' (runtime) --> 'org.apache.logging.log4j:log4j-api:2.17.2'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'com.netflix.conductor:conductor-common:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-api:{strictly 2.17.2}'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'com.netflix.conductor:conductor-common:3.13.8' (runtimeElements) --> 'com.netflix.conductor:conductor-annotations:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-api:{strictly 2.17.2}'

   > Could not resolve org.apache.logging.log4j:log4j-api:2.17.2.
     Required by:
         project : > com.netflix.conductor:conductor-client:3.13.8 > org.apache.logging.log4j:log4j-core:2.17.2
         project : > com.netflix.conductor:conductor-client:3.13.8 > org.apache.logging.log4j:log4j-slf4j-impl:2.17.2
         project : > com.netflix.conductor:conductor-client:3.13.8 > org.apache.logging.log4j:log4j-jul:2.17.2
         project : > com.netflix.conductor:conductor-client:3.13.8 > org.apache.logging.log4j:log4j-web:2.17.2
      > Cannot find a version of 'org.apache.logging.log4j:log4j-api' that satisfies the version constraints:
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-api:{strictly 2.17.2}'
           Constraint path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'io.quarkus.platform:quarkus-bom:3.2.3.Final' (enforced-platform-runtime) --> 'org.apache.logging.log4j:log4j-api:2.20.0'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-core:2.17.2' (runtime) --> 'org.apache.logging.log4j:log4j-api:2.17.2'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.2' (runtime) --> 'org.apache.logging.log4j:log4j-api:2.17.2'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-jul:2.17.2' (runtime) --> 'org.apache.logging.log4j:log4j-api:2.17.2'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-web:2.17.2' (runtime) --> 'org.apache.logging.log4j:log4j-api:2.17.2'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'com.netflix.conductor:conductor-common:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-api:{strictly 2.17.2}'
           Dependency path 'io.my1795:conductor-commander:1.0.0-SNAPSHOT' --> 'com.netflix.conductor:conductor-client:3.13.8' (runtimeElements) --> 'com.netflix.conductor:conductor-common:3.13.8' (runtimeElements) --> 'com.netflix.conductor:conductor-annotations:3.13.8' (runtimeElements) --> 'org.apache.logging.log4j:log4j-api:{strictly 2.17.2}'


* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 370ms
11:29:08 AM: Execution finished 'quarkusBuild'.

答案1

得分: 0

我认为这是conductor中的一个错误。

一个库通常不应该严格依赖于某个具体版本，否则会出现像这样的问题，库严格要求某个版本，而某个构建或其他库又严格依赖于另一个版本，无法解决冲突。

在你的情况下，通过使用 enforcedPlatform 添加了第二个严格版本，这会添加严格的约束条件，通常也不应该使用。它更适用于罕见的特殊情况，通常只应使用 platform。

但除此之外，如果你查看 https://github.com/Netflix/conductor/blob/v3.13.8/build.gradle#L108-L116，似乎严格的边界应该允许在2.17.2和3.0之间的任何版本，但构建的其他部分似乎会将其更改为严格的2.17.2。

除此之外，除了 log4j-core 之外的整个块都是非常有问题的。这很可能是为了防止Log4Shell，但无论如何，Log4Shell只影响 log4j-core，因此对于其他 log4j 依赖项来说，拥有所有这些是毫无意义的，只会减慢依赖项解析的速度。

但确实可以使用排除来临时解决你的问题。你说它没有起作用，但没有说明你在哪里以及如何尝试过。例如，你可以从 conductor-client 依赖项中排除它，然后手动依赖它，如果没有其他部分依赖于它，并且 conductor-client 需要它。

英文:

I would say that is a bug in conductor.

A library should usually never strictly depend on some concrete version or you get problems like this where the library strictly requires a version and some build or other library strictly depends on some other version which then cannot be resolved.

In your case you add the second strict version by using enforcedPlatform which adds strict constraints and should usually also not be used. It is more for rare edge cases and usually just platform should be used.

But besides that, if you look at https://github.com/Netflix/conductor/blob/v3.13.8/build.gradle#L108-L116 it seems that the strict boundary should allow any version between 2.17.2 and 3.0, but some other part of the build seems to change this to strictly only 2.17.2.

Besides that the whole block except for log4j-core is very questionable. It is most probably to protect against Log4Shell, which anyway only affects log4j-core, so having all theses for the other log4j dependencies is pointless anyway and just slows down dependency resolution potentially.

But indeed an exclude should work to ad-hoc solve your problem. You said it didn't work, but but did not say where and how you tried it. You could for example exclude it from the conductor-client dependency and then depend manually on it if no other part depends on it and conductor-client needs it.