Switch to compileOnly dependencies for integrations

[romtsn]

Description

At the moment we declare all integration dependencies (e.g. okhttp for sentry-okhttp-intreceptor) as implementation. This means we are potentially overriding user-defined dependencies, if they use an older version of okhttp. We should switch those dependencies to be compileOnly so at runtime we'd actually use what user has defined in their deps.

We should cautious about incompatible versions though, at best we could define version constraints for the min. supported version, at worst have a note for each integration/troubleshooting page on the docs

[marandaneto]

We could also run a matrix test with all the supported major or minor versions, so we know that we don't introduce breaking changes as well.

[philipphofmann]

We could also choose to ship with the lowest possible version of our integrations because Gradle will pick the highest one.

[marandaneto]

We could also choose to ship with the lowest possible version of our integrations because Gradle will pick the highest one.

We already do that, we rarely upgrade our transitive dependencies unless it's needed due to security issues and so on.

[philipphofmann]

We already do that, we rarely upgrade our transitive dependencies unless it's needed due to security issues and so on.

Switching to compileOnly and checking at runtime which version is available, could mean that we break the user at runtime though which is bad IMO. So I don't really get the benefit. Why not just keep it as is?

[marandaneto]

@philipphofmann the SDK should degrade gracefully if the desired lib isn't in the classpath.
We'd like to keep the App's direct dependency and not rely on Gradle's dependency resolution that can pick up the wrong version or override the user's defined version.
If let's say they want to use our okhttp integration, the minimum they have to do is to also have a dependency to the okhttp library themselves instead of relying on us as a transitive dependency.
By doing that, you avoid issues like #185, #2025 and getsentry/sentry-android-gradle-plugin#342
https://develop.sentry.dev/sdk/philosophy/#dependencies-cost

[romtsn]

@philipphofmann the SDK should degrade gracefully if the desired lib isn't in the classpath.

Unfortunately, this is not always possible, because our integrations extend from the deps classes:

class SentryOkHttpInterceptor : Interceptor

So the class verification check will fail even before hitting our code, resulting in NoClassDefFoundError. I still think it should be fine though, because if they don't have an okhttp dependency, they don't have an OkHttpClient to attach our interceptor to.