Skip to content

Add optional filtering of published dependency constraints to used dependencies only #1420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: develop
Choose a base branch
from
Open

Add optional filtering of published dependency constraints to used dependencies only #1420

wants to merge 9 commits into from

Conversation

@FinlayRJW
Copy link
Contributor

@FinlayRJW FinlayRJW commented Sep 17, 2025
edited
Loading

Before this PR

Background: https://pl.ntr/2wT

The gradle-consistent-versions plugin currently publishes all constraints from versions.lock in component metadata (POMs and Gradle Module Metadata), even for dependencies that aren't actually used by the published component. This causes:

  1. Bloated POMs: The <dependencyManagement> section includes irrelevant dependencies, confusing users who may think these are actual dependencies
  2. Problematic Module Metadata: Unlike POMs where dependencyManagement is mostly ignored, Gradle Module Metadata applies these constraints by default, potentially affecting dependency resolution unnecessarily

After this PR

This PR introduces an opt-in property com.palantir.gradle.versions.filterLockFileConstraints that, when enabled, filters published constraints to only include dependencies in the actual transitive closure of the component being published.

  • When filterLockFileConstraints=true, the plugin resolves the compile and runtime classpaths to determine which modules are actually used
  • Only constraints for these used modules are included in the published metadata
  • Local project constraints (com.palantir.gradle.versions.publishLocalConstraints) continue to work as before

This filtering capability previously existed (#191) but was removed due to performance concerns (#504). By making this opt-in, projects can choose between:

  • Default: Fast builds, but with all constraints published (same as current)
  • Filtered constraints: Cleaner published metadata, but with the performance cost of resolving configurations during publishing

==COMMIT_MSG==
Add optional filtering of published dependency constraints

Introduces com.palantir.gradle.versions.filterLockFileConstraints property to filter published constraints to only include dependencies actually used by the component, reducing metadata bloat while maintaining backwards compatibility as an opt-in feature.
==COMMIT_MSG==

Possible downsides?

  • Performance impact when enabled due to configuration resolution during publishing
  • May increase build times for projects with many modules

@changelog-app
Copy link

changelog-app bot commented Sep 17, 2025
edited by FinlayRJW
Loading

Generate changelog in changelog/@unreleased

Type (Select exactly one)

  • Feature (Adding new functionality)
  • Improvement (Improving existing functionality)
  • Fix (Fixing an issue with existing functionality)
  • Break (Creating a new major version by breaking public APIs)
  • Deprecation (Removing functionality in a non-breaking way)
  • Migration (Automatically moving data/functionality to a new system)

Description

Add optional filtering of published dependency constraints

Introduces com.palantir.gradle.versions.filterLockFileConstraints property to filter published constraints to only include dependencies actually used by the component, reducing metadata bloat while maintaining backwards compatibility as an opt-in feature.

Check the box to generate changelog(s)

  • Generate changelog entry

@FinlayRJW FinlayRJW changed the title enable filtering enable filtering for lockFileConstraints in gradle module metadata and POMs Sep 17, 2025
@FinlayRJW FinlayRJW changed the title enable filtering for lockFileConstraints in gradle module metadata and POMs Add optional filtering of published dependency constraints to used dependencies only Sep 17, 2025
@changelog-app
Copy link

changelog-app bot commented Sep 17, 2025

Successfully generated changelog entry!

What happened?

Your changelog entries have been stored in the database as part of our migration to ChangelogV3.

Need to regenerate?

Simply interact with the changelog bot comment again to regenerate these entries.

@FinlayRJW FinlayRJW requested a review from Copilot September 17, 2025 13:16
Copilot AI reviewed Sep 17, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds an opt-in feature to filter published dependency constraints to only include dependencies that are actually used by the component being published. The goal is to reduce metadata bloat in POMs and Gradle Module Metadata while maintaining backwards compatibility.

Key changes:

  • Introduces com.palantir.gradle.versions.filterLockFileConstraints property to enable constraint filtering
  • Filters constraints by resolving compile and runtime classpaths to determine used modules
  • Adds comprehensive test coverage for both filtered and unfiltered scenarios with and without local constraints

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
VersionsLockPlugin.java Implements the core filtering logic using classpath resolution and adds the configuration property
VersionsLockPluginIntegrationSpec.groovy Adds extensive test cases covering all combinations of filtering and local constraint settings

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@FinlayRJW
Copy link
Contributor Author

Example:

build.gradle

dependencies {
    implementation project(':environment-variables')
    implementation gradleApi()
    api project(':providers')

    annotationProcessor 'org.immutables:value'

    compileOnly 'org.immutables:value::annotations'

    testImplementation 'org.assertj:assertj-core'
    testImplementation 'org.junit.jupiter:junit-jupiter'
    testImplementation 'com.netflix.nebula:nebula-test'
}

Before:

      "dependencyConstraints": [
        {
          "group": "com.fasterxml.jackson.core",
          "module": "jackson-annotations",
          "version": {
            "requires": "2.19.2"
          },
          "reason": "Computed from com.palantir.consistent-versions' versions.lock in gradle-utils"
        },
        {
          "group": "com.gradle",
          "module": "develocity-gradle-plugin-adapters",
          "version": {
            "requires": "1.2.1"
          },
          "reason": "Computed from com.palantir.consistent-versions' versions.lock in gradle-utils"
        },
        {
          "group": "org.apache.commons",
          "module": "commons-lang3",
          "version": {
            "requires": "3.18.0"
          },
          "reason": "Computed from com.palantir.consistent-versions' versions.lock in gradle-utils"
        },
        {
          "group": "org.immutables",
          "module": "value",
          "version": {
            "requires": "2.11.3"
          },
          "reason": "Computed from com.palantir.consistent-versions' versions.lock in gradle-utils"
        }
      ],

After

      "dependencyConstraints": [
        {
          "group": "org.immutables",
          "module": "value",
          "version": {
            "requires": "2.11.3"
          },
          "reason": "Computed from com.palantir.consistent-versions' versions.lock in gradle-utils"
        }
      ],

@FinlayRJW FinlayRJW marked this pull request as ready for review September 17, 2025 13:27
FinlayRJW
FinlayRJW commented Oct 7, 2025
View reviewed changes
src/main/java/com/palantir/gradle/versions/VersionsLockPlugin.java
.addAllLater(maybeFilterConstraintsByUsage(subproject, lockFileConstraints));
});

subproject
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to make the default behaviour not publishing the dep constraints at all?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

autorelease merge when ready

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@FinlayRJW