JJWT依赖混淆
JJWT dependency confusion
我继承了一个 java 项目,该项目在 POM.xml:
<properties>
<jjwt.version>0.11.1</jjwt.version>
</properties>
// from https://github.com/jwtk/jjwt#maven
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>${jjwt.version}</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<version>${jjwt.version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId> <!-- or jjwt-gson if Gson is preferred -->
<version>${jjwt.version}</version>
<scope>runtime</scope>
</dependency>
// what is this "jjwt" dep, and why might it be using a different version?
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
这个“jjwt”dep 是什么,为什么它可能使用不同的版本?
上没有看到任何提及
在 JJWT 版本 0.10.0 之前,API 和实现都打包为一个工件,io.jsonwebtoken:jjwt。
从版本 0.10.0 开始,API 和实现分为两个不同的工件。
摘自JJWT Release Notes, version 0.10.0:
JJWT's new modular design utilizes distinctions between compile and runtime dependencies to ensure you only depend on the public APIs that are safe to use in your application. All internal/private implementation classes have been moved to a new jjwt-impl runtime dependency.
If you depended on any internal implementation classes in the past, you have two choices:
Refactor your code to use the public-only API classes and interfaces in the jjwt-api .jar. Any functionality you might have used in the internal implementation should be available via newer cleaner interfaces and helper classes in that .jar.
Specify the new jjwt-impl .jar not as a runtime dependency but as a compile dependency. This would make your upgrade to JJWT 0.10.0 fully backwards compatible, but you do so at your own risk. JJWT will make NO semantic version compatibility guarantees in the jjwt-impl .jar moving forward. Semantic versioning will be very carefully adhered to in all other JJWT dependencies however.
我的猜测是您的项目团队尚未完成从 JJWT <= 0.9 到 JJWT >= 0.10 的升级。
我继承了一个 java 项目,该项目在 POM.xml:
<properties>
<jjwt.version>0.11.1</jjwt.version>
</properties>
// from https://github.com/jwtk/jjwt#maven
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>${jjwt.version}</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<version>${jjwt.version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId> <!-- or jjwt-gson if Gson is preferred -->
<version>${jjwt.version}</version>
<scope>runtime</scope>
</dependency>
// what is this "jjwt" dep, and why might it be using a different version?
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
这个“jjwt”dep 是什么,为什么它可能使用不同的版本?
上没有看到任何提及在 JJWT 版本 0.10.0 之前,API 和实现都打包为一个工件,io.jsonwebtoken:jjwt。
从版本 0.10.0 开始,API 和实现分为两个不同的工件。
摘自JJWT Release Notes, version 0.10.0:
JJWT's new modular design utilizes distinctions between compile and runtime dependencies to ensure you only depend on the public APIs that are safe to use in your application. All internal/private implementation classes have been moved to a new jjwt-impl runtime dependency.
If you depended on any internal implementation classes in the past, you have two choices:
Refactor your code to use the public-only API classes and interfaces in the jjwt-api .jar. Any functionality you might have used in the internal implementation should be available via newer cleaner interfaces and helper classes in that .jar.
Specify the new jjwt-impl .jar not as a runtime dependency but as a compile dependency. This would make your upgrade to JJWT 0.10.0 fully backwards compatible, but you do so at your own risk. JJWT will make NO semantic version compatibility guarantees in the jjwt-impl .jar moving forward. Semantic versioning will be very carefully adhered to in all other JJWT dependencies however.
我的猜测是您的项目团队尚未完成从 JJWT <= 0.9 到 JJWT >= 0.10 的升级。