Mismatch between expected release dependencies and "dependency conflicts"

Question

I just updated to 939-9127, the latest release of cloud storage and compute, because I want to be running with the latest dependencies. Then I bumped my project's deps to the latest versions. Then I did an ion deploy.

The deploy reports several dependency conflicts. That isn't unusual, but what I find confusing is that the suggested dependencies are older than what the release docs say are included in 939-9127. To pick a random example, consider tools.analyzer.jvm. The release docs say 939-9127 uses tools.analyzer.jvm 1.2.2, and locally, with the latest deps, clojure -Spath reports that I am depending on tools.analyzer.jvm 1.2.2. But the dependency conflict report recommends that I pin my deps.edn to tools.analyzer.jvm 1.1.0.

The release history page doesn't document exactly when or how each dependency was bumped, but anecdotally, many of the versions mentioned in the dependency conflict report match the versions mentioned for the 936-9118 release, and its associated lib updates. Since 936-9118 and its collection of libraries was the last version I was using, I'm suspicious that my update to 939-9127 didn't fully complete.

Because many of the recent dependency updates are security related, I explicitly don't want to depend on the older versions. Any suggestions about how to get the latest versions?

❯ clojure --version

Clojure CLI version 1.10.3.1069

❯ datomic cloud list-systems

[{,,,
  "storage-cft-version":"939",
  ,,,}]

❯ datomic system list-instances ,,,

[{,,,
  "group-cft-version":"939",
  "group-cloud-version":"9127",
  ,,,}]

❯ cat deps.edn

{:paths ["src" "resources"]
 :deps  {org.clojure/clojure {:mvn/version "1.10.3"},
         com.datomic/client-cloud {:mvn/version "1.0.119"}
         ;; register :server-type :ion
         com.datomic/ion          {:mvn/version "1.0.58"}
         io.pedestal/pedestal.service {:mvn/version "0.5.10"}
         io.pedestal/pedestal.ions    {:git/url "https://github.com/pedestal/pedestal.ions.git"
                                       :sha     "56070e360295f3359a6300a2d27858e0a125188b"
                                       :tag     "0.1.3"}
         }
 :mvn/repos {"datomic-cloud" {:url "s3://datomic-releases-1fc2183a/maven/releases"}}
 :aliases
 {:dev    {:extra-paths ["dev"]
           :extra-deps  {;; run jetty instead of ion
                         io.pedestal/pedestal.jetty {:mvn/version "0.5.10"}
                         ;; register :server-type :dev-local
                         com.datomic/dev-local      {:mvn/version "1.0.242"}
                         }}
  :deploy {:extra-paths ["deploy"]
           :extra-deps  {com.datomic/ion-dev {:mvn/version "1.0.298"}}
           :exec-fn     deploy/deploy}
  }}

❯ bin/release

{,,,
 :dependency-conflicts {:deps {commons-codec/commons-codec    #:mvn{:version "1.13"}
                               org.clojure/tools.analyzer     #:mvn{:version "1.0.0"}
                               org.clojure/tools.analyzer.jvm #:mvn{:version "1.1.0"}
                               org.ow2.asm/asm                #:mvn{:version "5.2"}
                               com.cognitect/caster           #:mvn{:version "0.9.40"}
                               org.clojure/tools.reader       #:mvn{:version "1.3.6"}
                               org.slf4j/slf4j-api            #:mvn{:version "1.7.32"}
                               org.clojure/core.memoize       #:mvn{:version "1.0.236"}
                               org.clojure/data.priority-map  #:mvn{:version "1.0.0"}
                               org.clojure/core.cache         #:mvn{:version "1.0.207"}
                               org.clojure/core.async         #:mvn{:version "1.3.618"}}
                        :doc  "The :push operation overrode these dependencies to match versions already running in Datomic Cloud. To test locally add these explicit deps to your deps.edn."}}

Answer 1

Hi Jacob!

The cloud-deps.edn in ion-dev does not match the cloud-deps.edn that is actually running in your version of Datomic cloud. We understand this is a problem and we are working on it but you can ignore the dependency conflict map reported from a push.

Hope you are well!

Comments

Thanks for the update. I can confirm—within a running Ion my classpath contains the more recent versions of these deps. I’ll ignore the dependency conflicts for now. Cheers!

---

Is there an issue tracker where we can see progress against this bug?

---

Hi Chris we're working on this hopefully for our next feature release, but we do not have a public issue tracker.  I have linked this thread to our internal ticket on the issue and when released we will update here.

---

This problem is still outstanding even after the release of the new freely-distributed (but undocumented?) client libs.  

I'm frustrated by this issue.  I know it's easy to let this kind of forum thread stand-in for good housekeeping, but it not very reassuring when mismatches are reported on critical libs and I can only set them up to be ignored.  

1. Setting up the "ignoring" of mismatch warnings my CD pipeline is a PITA.
2. Setting up the ignoring of outdated dependencies (with antq) is a PITA.
3. I still need to manually review the exceptions periodically -which is where I found that I've been running on an outdated version of the (undocumented?) `client-impl-shared`.