Merge pull request #502 from SpineEventEngine/deps-2023-12-30

Improve and update dependencies
SpineEventEngine · Dec 30, 2023 · 17870fe · 17870fe
2 parents 5167490 + ef69cee
commit 17870fe
Show file tree

Hide file tree

Showing 4 changed files with 109 additions and 46 deletions.
diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts
@@ -169,49 +169,54 @@ tasks.withType<org.jetbrains.kotlin.gradle.tasks.KotlinCompile> {
 }
 
 dependencies {
-    implementation("com.fasterxml.jackson.core:jackson-databind:$jacksonVersion")
-    implementation("com.fasterxml.jackson.dataformat:jackson-dataformat-xml:$jacksonVersion")
-
-    @Suppress(
-        "VulnerableLibrariesLocal", "RedundantSuppression" /*
-        `artifactregistry-auth-common` has transitive dependency on Gson and Apache `commons-codec`.
-
-        Gson from version `2.8.6` until `2.8.9` is vulnerable to Deserialization of Untrusted Data
-         (https://devhub.checkmarx.com/cve-details/CVE-2022-25647/).
-
-        Apache `commons-codec` before 1.13 is vulnerable to information exposure
-        (https://devhub.checkmarx.com/cve-details/Cxeb68d52e-5509/).
-
-        We use Gson `2.10.1`and we force it in `forceProductionDependencies()`.
-        We use `commons-code` with version `1.16.0`, forcing it in `forceProductionDependencies()`.
+    api("com.github.jk1:gradle-license-report:$licenseReportVersion")
+    dependOnAuthCommon()
+
+    listOf(
+        "com.fasterxml.jackson.core:jackson-databind:$jacksonVersion",
+        "com.fasterxml.jackson.dataformat:jackson-dataformat-xml:$jacksonVersion",
+        "com.github.jk1:gradle-license-report:$licenseReportVersion",
+        "com.google.guava:guava:$guavaVersion",
+        "com.google.protobuf:protobuf-gradle-plugin:$protobufPluginVersion",
+        "gradle.plugin.com.github.johnrengelman:shadow:${shadowVersion}",
+        "io.gitlab.arturbosch.detekt:detekt-gradle-plugin:$detektVersion",
+        "io.kotest:kotest-gradle-plugin:$kotestJvmPluginVersion",
+        // https://github.com/srikanth-lingala/zip4j
+        "net.lingala.zip4j:zip4j:2.10.0",
+        "net.ltgt.gradle:gradle-errorprone-plugin:${errorPronePluginVersion}",
+        "org.ajoberstar.grgit:grgit-core:${grGitVersion}",
+        "org.jetbrains.dokka:dokka-base:${dokkaVersion}",
+        "org.jetbrains.dokka:dokka-gradle-plugin:${dokkaVersion}",
+        "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlinVersion",
+        "org.jetbrains.kotlin:kotlin-reflect:$kotlinVersion",
+        "org.jetbrains.kotlinx:kover-gradle-plugin:$koverVersion"
+    ).forEach {
+        implementation(it)
+    }
+}
 
-        So, we should be safe with the current version `artifactregistry-auth-common` until
-        we migrate to a later version. */
-    )
+/**
+ * Includes the `implementation` dependency on `artifactregistry-auth-common`,
+ * with the version defined in [googleAuthToolVersion].
+ *
+ * `artifactregistry-auth-common` has transitive dependency on Gson and Apache `commons-codec`.
+ * Gson from version `2.8.6` until `2.8.9` is vulnerable to Deserialization of Untrusted Data
+ * (https://devhub.checkmarx.com/cve-details/CVE-2022-25647/).
+ *
+ *  Apache `commons-codec` before 1.13 is vulnerable to information exposure
+ * (https://devhub.checkmarx.com/cve-details/Cxeb68d52e-5509/).
+ *
+ * We use Gson `2.10.1` and we force it in `forceProductionDependencies()`.
+ * We use `commons-code` with version `1.16.0`, forcing it in `forceProductionDependencies()`.
+ *
+ * So, we should be safe with the current version `artifactregistry-auth-common` until
+ * we migrate to a later version.
+ */
+fun DependencyHandlerScope.dependOnAuthCommon() {
+    @Suppress("VulnerableLibrariesLocal", "RedundantSuppression")
     implementation(
         "com.google.cloud.artifactregistry:artifactregistry-auth-common:$googleAuthToolVersion"
     ) {
         exclude(group = "com.google.guava")
     }
-
-    implementation("com.google.guava:guava:$guavaVersion")
-    api("com.github.jk1:gradle-license-report:$licenseReportVersion")
-    implementation("org.ajoberstar.grgit:grgit-core:${grGitVersion}")
-    implementation("net.ltgt.gradle:gradle-errorprone-plugin:${errorPronePluginVersion}")
-
-    // Add explicit dependency to avoid warning on different Kotlin runtime versions.
-    implementation("org.jetbrains.kotlin:kotlin-reflect:$kotlinVersion")
-    implementation("org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlinVersion")
-
-    implementation("io.gitlab.arturbosch.detekt:detekt-gradle-plugin:$detektVersion")
-    implementation("com.google.protobuf:protobuf-gradle-plugin:$protobufPluginVersion")
-    implementation("org.jetbrains.dokka:dokka-gradle-plugin:${dokkaVersion}")
-    implementation("org.jetbrains.dokka:dokka-base:${dokkaVersion}")
-    implementation("gradle.plugin.com.github.johnrengelman:shadow:${shadowVersion}")
-
-    // https://github.com/srikanth-lingala/zip4j
-    implementation("net.lingala.zip4j:zip4j:2.10.0")
-
-    implementation("io.kotest:kotest-gradle-plugin:$kotestJvmPluginVersion")
-    implementation("org.jetbrains.kotlinx:kover-gradle-plugin:$koverVersion")
 }
diff --git a/buildSrc/src/main/kotlin/io/spine/internal/dependency/KotlinX.kt b/buildSrc/src/main/kotlin/io/spine/internal/dependency/KotlinX.kt
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2023, TeamDev. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Redistribution and use in source and/or binary forms, with or without
+ * modification, must retain the above copyright notice and the following
+ * disclaimer.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package io.spine.internal.dependency
+
+@Suppress("unused", "ConstPropertyName")
+object KotlinX {
+
+    const val group = "org.jetbrains.kotlinx"
+
+    object Coroutines {
+
+        // https://github.com/Kotlin/kotlinx.coroutines
+        const val version = "1.7.3"
+        const val core = "$group:kotlinx-coroutines-core:$version"
+        const val jdk8 = "$group:kotlinx-coroutines-jdk8:$version"
+    }
+}
diff --git a/buildSrc/src/main/kotlin/io/spine/internal/dependency/ProtoData.kt b/buildSrc/src/main/kotlin/io/spine/internal/dependency/ProtoData.kt
@@ -29,7 +29,7 @@ package io.spine.internal.dependency
 /**
  * Dependencies on ProtoData modules.
  *
- * In order to use locally published ProtoData version instead of the version from a public plugin
+ * To use the locally published ProtoData version, instead of the version from a public plugin
  * registry, set the `PROTODATA_VERSION` and/or the `PROTODATA_DF_VERSION` environment variables
  * and stop the Gradle daemons so that Gradle observes the env change:
  * ```
@@ -65,7 +65,7 @@ object ProtoData {
      * The version of ProtoData dependencies.
      */
     val version: String
-    private const val fallbackVersion = "0.15.3"
+    private const val fallbackVersion = "0.15.4"
 
     /**
      * The distinct version of ProtoData used by other build tools.
@@ -74,19 +74,36 @@ object ProtoData {
      * transitional dependencies, this is the version used to build the project itself.
      */
     val dogfoodingVersion: String
-    private const val fallbackDfVersion = "0.15.3"
+    private const val fallbackDfVersion = "0.15.4"
 
     /**
      * The artifact for the ProtoData Gradle plugin.
      */
     val pluginLib: String
 
+    fun pluginLib(version: String): String =
+        "$group:gradle-plugin:$version"
+
+    fun api(version: String): String =
+        "$group:protodata-api:$version"
+
     val api
-        get() = "$group:protodata-api:$version"
+        get() = api(version)
+
     val compiler
         get() = "$group:protodata-compiler:$version"
+
+    val gradleApi
+        get() = "$group:protodata-gradle-api:$version"
+
+    val cliApi
+        get() = "$group:protodata-cli-api:$version"
+
+    fun codegenJava(version: String): String =
+        "$group:protodata-codegen-java:$version"
+
     val codegenJava
-        get() = "$group:protodata-codegen-java:$version"
+        get() = codegenJava(version)
 
     /**
      * An env variable storing a custom [version].
@@ -113,7 +130,7 @@ object ProtoData {
             version = experimentVersion ?: fallbackVersion
             dogfoodingVersion = experimentDfVersion ?: fallbackDfVersion
 
-            pluginLib = "${group}:gradle-plugin:$version"
+            pluginLib = pluginLib(version)
             println("""
 
                 ❗ Running an experiment with ProtoData. ❗

diff --git a/buildSrc/src/main/kotlin/io/spine/internal/dependency/Spine.kt b/buildSrc/src/main/kotlin/io/spine/internal/dependency/Spine.kt
@@ -89,7 +89,7 @@ object Spine {
          *
          * @see <a href="https://github.com/SpineEventEngine/mc-java">spine-mc-java</a>
          */
-        const val mcJava = "2.0.0-SNAPSHOT.177"
+        const val mcJava = "2.0.0-SNAPSHOT.175"
 
         /**
          * The version of [Spine.baseTypes].