jsoup: OSGi import of javax.annotation and javax.annotation.meta is broken in 1.14.2
In jsoup version 1.14.2, the OSGi import of the package javax.annotation is imported with a version >= 3.0 and < 4.0.
This makes the jsoup 1.14.2 bundle fail to load on apache karaf which provides version 1.3.0 of the package (from the apache felix runtime).
Possible fixes:
- Check if the import is actually sed at runtime, and remove the import of javax.annotation, if it isn’t actually needed (earlier versions of jsoup does not have this import)
- Remove the versioning of the import (the actual content of the javax.annotation package has AFAIK not changed since, like, forever)
- Expand the version range on the javax.annotation import, from [3.0, 4) to [1.0, 4)
Not sure where the 3.0 version of the import comes from…? I have googled, and think, maybe from this 2011 vintage, org.glassfish rebundling of javax.annotation? https://mvnrepository.com/artifact/org.glassfish/javax.annotation
The javax.annotation.meta package will probably also have to be handled in the same way? From the MANIFEST.MF of jsoup 1.14.2:
Import-Package: javax.annotation;version="[3.0,4)",javax.annotation.meta
;version="[3.0,4)",javax.net.ssl,javax.xml.parsers,javax.xml.transform,
javax.xml.transform.dom,javax.xml.transform.stream,org.jsoup;version="[
1.14,2)",org.jsoup.helper;version="[1.14,2)",org.jsoup.internal;version
="[1.14,2)",org.jsoup.nodes;version="[1.14,2)",org.jsoup.parser;version
="[1.14,2)",org.jsoup.safety;version="[1.14,2)",org.jsoup.select;versio
n="[1.14,2)",org.w3c.dom
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 22 (17 by maintainers)
Commits related to this issue
- Remove version from the javax.annotation OSGi package imports to fix #1616 — committed to steinarb/jsoup by steinarb 3 years ago
- [fixes #1616] Make the imports of javax.annotation(.meta) optional — committed to pgorny/jsoup by pgorny 3 years ago
- Remove the javax.annotation* OSGi package imports to finally fix #1616 — committed to steinarb/jsoup by steinarb 3 years ago
- [fixes #1616] Make the imports of javax.annotation(.meta) optional — committed to jhy/jsoup by pgorny 3 years ago
Got it; will shoot for earlier rather than later
Good news everyone! Jsoup 1.14.3 is available now: https://github.com/jhy/jsoup/releases/tag/jsoup-1.14.3
(BTW going forward, best to just give a thumbs-up to the issue or a note vs adding a “me too” comment that you’re waiting on a release, unless you have extra detail. That helps reduce clutter, and you’ll still get notified from watching the issue)
I’m joining those who waits for release 🙄 Thank you in advance!
Not blocked as such.
But the other github message today was a nag about fixing a particular security issue in some of my projects…😉
@jhy Could you please let me know when will this be available to consume? Currently, I don’t see a due date for the 1.14.3 milestone. https://github.com/jhy/jsoup/milestone/21
OK thanks for this. I have gone for #1619 as it seems most appropriate. The annotations are intended to be used at development time only (which is not exactly build-time). But including them as resolution:optional should leave the way to run-time annotation inspection if that’s needed for someone’s use-case.
If we see issues down the line we can of course revisit.
I will now gripe about the difficulty of finding a useful way to include non-null assertions that are not license encumbered. Further, I added them with the intent of improving how Kotlin integrates with the library, but it turns out that it basically ignores them all, as it gave up on null/non-null strictness on Java method returns a few years back, and just treats everything as hand-wavey safe / maybe unsafe.
@jhy It does not resolve it for me. It fixes the version dependency (so javax.annotation can be provided by any software), but not the fact that a import of
javax.annotation.metais still a required dependency.A solution would be to make the resolution of those optional, something I’ve created a PR for in #1619.