Closed
Description
Enforcer plugin reports dependency convergence issue for Stasig SDK:
Dependency convergence error for com.google.protobuf:protobuf-java:3.25.3 paths to dependency are:
+-org.detouched.playground:statsig:1.0-SNAPSHOT
+-com.statsig:serversdk:1.25.0
+-io.grpc:grpc-protobuf:1.66.0
+-com.google.protobuf:protobuf-java:3.25.3
and
+-org.detouched.playground:statsig:1.0-SNAPSHOT
+-com.statsig:serversdk:1.25.0
+-io.grpc:grpc-protobuf:1.66.0
+-com.google.api.grpc:proto-google-common-protos:2.41.0
+-com.google.protobuf:protobuf-java:3.25.3
and
+-org.detouched.playground:statsig:1.0-SNAPSHOT
+-com.statsig:serversdk:1.25.0
+-com.google.protobuf:protobuf-java:3.24.4
This can be solved by manually excluding transitive dependency on protobuf-java and explicitly adding a direct dependency on it, but this means I'll have to keep an eye on the version compatibility in the future which isn't great.
Since io.grpc:grpc-protobuf already pulls in com.google.protobuf:protobuf-java, it doesn't make much sense to keep an explicit dependency on the latter in Gradle config unless it was added to avoid some vulnerability. I don't think it is the case, so maybe it's worth removing it?
Metadata
Metadata
Assignees
Labels
No labels