New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] androidx.security version is overriding our app version #5331
Comments
Hey @jt-gilkeson, thanks for reaching out!
We're not doing anything special regarding the dependency. My understanding is that by default Gradle will resolve to the most recent version of the library, I think it just usually does that silently because it doesn't detect any issues. |
Thank you for the quick reply.
Yes we are 23+ Is there any particular functionality of the SDK that we should concentrate testing on? Unfortunately there are problems with updating the version, something to do with newer versions having an issue with keystores when people get a new phone and their data was automatically transferred (there are a lot of reports of others having this same issue - with updating the lib), while we can change the app to stop transferring the data between phones going forward, we already have a large existing customer base so we are somewhat locked-in to 1.0.0-rc02 for the foreseeable future. This article talks about how libraries can make their dependencies more flexible to avoid this type of conflict: |
We use The article is interesting, but this is an edge case not really covered by it, due to your restrictions and the non-backwards compatible changes made to 1.1.0. Even if we loosen the dependency requirements, we'd still need 1.1.0+. One possible solution for this is to somehow rename the package so that you could ship with both 1.0.0 and 1.1.0, but they'll have different class names so they won't conflict. I haven't looked in depth, but this project might be able to help https://imperceptiblethoughts.com/shadow/introduction/ |
Hi @jt-gilkeson have you found a potential workaround that suits your use case? |
Unfortunately there doesn't appear to be quick and easy solution to this situation. We'll ether have to try to wipe our users shared preferences if they can't be opened (not a great experience) or we'll have to try that rename package workaround. @brnunes-stripe I didn't follow what you meant by: Are you saying test excluding 1.1.0 and calling that method? |
Summary
Our app uses "androidx.security:security-crypto:1.0.0-rc02". When updating from Stripe 18.2.0 to 20. 5.0 we see in the dependency tree that Stripe is overriding the version used in the app to "1.1.0-alpha03" which causes problems.
Other libs don't seem to do this - even though they use a different version of the security-crypto it doesn't override it for the app.
Is there something we can specify on our side or preferably that you can change on your side to not override the version outside of your library?
Like would the following be safe to do?
The text was updated successfully, but these errors were encountered: