Skip to content
This repository was archived by the owner on Dec 4, 2025. It is now read-only.

#1596 Fix Dependency convergence issue + enable Maven Enforcer #37

Merged
langchain4j merged 4 commits into from
Aug 21, 2024
Merged

#1596 Fix Dependency convergence issue + enable Maven Enforcer #37

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d05098f
re #1596 Bump ai.djl.huggingface:tokenizers from 0.26.0 to 0.28.0
Dohbedoh Aug 16, 2024
2269086
re #1596 Enable Maven (version) enforcer plugin
Dohbedoh Aug 16, 2024
03a00f8
re #1596 Add exclusion of ai.djl:api from ai.djl.huggingface:tokenizers
Dohbedoh Aug 16, 2024
d708144
re #1596 Add slf4j exclusion + use property for ai.djl version
Dohbedoh Aug 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 16 additions & 2 deletions langchain4j-embeddings/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@
<artifactId>langchain4j-embeddings</artifactId>
<name>langchain4j-embeddings</name>
<description>Common functionality for other langchain4j-embeddings-xxx modules</description>

<properties>
<ai.djl.version>0.28.0</ai.djl.version>
</properties>

<dependencies>

Expand All @@ -32,13 +36,17 @@
<dependency>
<groupId>ai.djl</groupId>
<artifactId>api</artifactId>
<version>0.28.0</version>
<version>${ai.djl.version}</version>
<exclusions>
<!-- due to CVE-2024-26308 and CVE-2024-25710-->
<exclusion>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
</exclusion>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
Expand All @@ -50,7 +58,13 @@
<dependency>
<groupId>ai.djl.huggingface</groupId>
<artifactId>tokenizers</artifactId>
<version>0.26.0</version>
<version>${ai.djl.version}</version>
<exclusions>
<exclusion>
<groupId>ai.djl</groupId>
<artifactId>api</artifactId>
Copy link
Collaborator

@langchain4j langchain4j Aug 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we exclude slf4j-api on ai.djl:api instead?

        <dependency>
            <groupId>ai.djl</groupId>
            <artifactId>api</artifactId>
            <version>0.28.0</version>
            <exclusions>
                <!-- due to CVE-2024-26308 and CVE-2024-25710-->
                <exclusion>
                    <groupId>org.apache.commons</groupId>
                    <artifactId>commons-compress</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.slf4j</groupId>
                    <artifactId>slf4j-api</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

Copy link
Contributor Author

@Dohbedoh Dohbedoh Aug 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not following. I am not touching the exclusions for ai.djl:api https://github.com/langchain4j/langchain4j-embeddings/blob/0.33.0/langchain4j-embeddings/pom.xml#L37-L41.

The problem is that embedding has 2 dependencies on ai.djl:api, one direct dependency and a transitive dependency through ai.djl.huggingface:tokenizers. To avoid future problems, we should exclude ai.djl:api from ai.djl.huggingface:tokenizers.

Copy link
Collaborator

@langchain4j langchain4j Aug 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIU, tokenizers always uses the same version of ai.djl:api, so there is no need in exclusions, we just need to make sure we use the same version of api and tokenizers.

But if we remove exclusion of api, there is a problem with slf4j-api...

Copy link
Contributor Author

@Dohbedoh Dohbedoh Aug 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we just need to make sure we use the same version of api and tokenizers.

That's why I propose the exclusion here. ai.djl:api. The same thing we did for common-compress in 6c358b8.

Copy link
Collaborator

@langchain4j langchain4j Aug 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excluding ai.djl:api is not necessary, it works fine without it. And maven-enforcer-plugin will always make sure there is no conflict.

</exclusion>
</exclusions>
</dependency>

<dependency>
Expand Down
19 changes: 19 additions & 0 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,25 @@
</execution>
</executions>
</plugin>

<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.5.0</version>
<executions>
<execution>
<id>enforce</id>
<configuration>
<rules>
<dependencyConvergence/>
</rules>
</configuration>
<goals>
<goal>enforce</goal>
</goals>
</execution>
</executions>
</plugin>

<plugin>
<groupId>io.sundr</groupId>
Expand Down