gradle-versions-plugin: Running dependencyUpdates in projects without jvm-ecosystem can fail to resolve updated versions
Steps to Reproduce
- Checkout https://github.com/ben-manes/caffeine
- Run
dependencyUpdates - See output:
> Task :dependencyUpdates
------------------------------------------------------------
: Project Dependency Updates (report to plain text file)
------------------------------------------------------------
The following dependencies are using the latest milestone version:
...
The following dependencies have later milestone versions:
...
Failed to determine the latest version for the following dependencies (use --info for details):
- com.beust:jcommander
1.82
Running with info shows:
Failed to determine the latest version for the following dependencies (use --info for details):
- com.beust:jcommander
1.82
The exception that is the cause of unresolved state: org.gradle.internal.resolve.ModuleVersionResolveException: Could not resolve com.beust:jcommander:+.
Required by:
project :
Caused by: org.gradle.internal.component.NoMatchingConfigurationSelectionException: No matching variant of com.beust:jcommander:1.82 was found. The consumer was configured to find attribute 'org.gradle.jvm.version' with value '2147483647' but:
- Variant 'apiElements' capability com.beust:jcommander:1.82:
- Incompatible because this component declares attribute 'org.gradle.jvm.version' with value '8' and the consumer needed attribute 'org.gradle.jvm.version' with value '2147483647'
- Variant 'runtimeElements' capability com.beust:jcommander:1.82:
- Incompatible because this component declares attribute 'org.gradle.jvm.version' with value '8' and the consumer needed attribute 'org.gradle.jvm.version' with value '2147483647'
Resolution
In general, any project which performs dependency-resolution on JVM artifacts must apply the jvm-ecosystem plugin. The versions plugin sets the TARGET_JVM_VERSION_ATTRIBUTE attribute and therefore must apply this plugin.
To see the resolution in action, add apply plugin: 'jvm-ecosystem' to the root build.gradle file in caffeine.
Context: https://github.com/ben-manes/gradle-versions-plugin/issues/727#issuecomment-1467157595
About this issue
- Original URL
- State: open
- Created a year ago
- Reactions: 2
- Comments: 16 (8 by maintainers)
From https://github.com/ben-manes/gradle-versions-plugin/issues/822, it may be that the corrupted dependency graph is due to Gradle 8.4’s XML security change (an underlying SAXNotRecognizedException). As plugins like Android have transitive dependencies on an insecure old xml parser, you can workaround it by adding the following to your
gradle.properties.I’m afraid it’s too unsafe to do that. If you are on another jdk, like IBM’s, it’s different implementation classes. Or someone might plugin a different implementation on purpose.
The master branch now includes a check and fails early with a descriptive warning. I think that will help, but is not released yet
This did resolve the issue I was having in my project after updating from gradle 8.3 to 8.4, resulting in many unresolved version checks and
Caused by: java.lang.RuntimeException: Problems reading data from Binary store in ...andCaused by: java.lang.IllegalStateException: Corrupt serialized resolution result. Cannot find selected component ... for constraint ...errors.