I need help untangling what's wrong with fix(deps): update ktor monorepo to v3.1.0. Calling

.github/workflows/end-to-end-tests.main.kts

here: https://github.com/typesafegithub/github-workflows-kt/actions/runs/13436465865/job/37545104505?pr=1830 causes:

java.lang.NoClassDefFoundError: kotlinx/io/unsafe/UnsafeBufferOperations

. So far I checked that: • I cannot reproduce it locally (purged all caches, used Java 11) - reproduced it by setting a GitHub token, only then the problematic code path is executed • if I remove

@file:DependsOn("io.github.typesafegithub:action-updates-checker:3.2.1-SNAPSHOT")

and any pieces that depend on functions from it, it works - so this package is to blame •

UnsafeBufferOperations

was introduced in kotlinx-io 0.5.0 • ktor started using kotlinx-io starting 3.1.0 in this commit Something must still depend on kotlinx-io older than 0.5.0, but I cannot pin it down...

how do I check how Scripting resolves the versions of transitive dependencies?

You don't really want to know. 😄

ah, it's this problem...

Make sure the version you want comes first on the class loader, by either moving the dependency that depends on it to above the dependency that depends on the previous version, or just add a dependency on the later version explicitly, but also above the dependency that brings in the older version.

agrhh, adding

@file:Repository("<https://repo.maven.apache.org/maven2/>")
@file:DependsOn("org.jetbrains.kotlinx:kotlinx-io-core-jvm:0.6.0")

above

@file:DependsOn("io.github.typesafegithub:action-updates-checker:3.2.1-SNAPSHOT")

just changed the error message to

java.lang.NoSuchMethodError: 'kotlinx.io.Segment kotlinx.io.Buffer.writableSegment(int)'

looking at

./gradlew action-update-checker:dependencies

, looks like kotlinx.serialization is to blame - it still depends on kotlinx-io 0.4.0, and apparently the changes between the versions are breaking enough to make the explicit override not work

Gradle does conflict resolution and by default uses the later version. The scripting does not. It resolves each of the dependencies in the script individually and arranges them as described in the comment I linked.

You probably have to exclude the dependency additionally from that dependency.

I tried

implementation(projects.sharedInternal) {
        exclude("org.jetbrains.kotlinx", "kotlinx-io-core")
    }

but it doesn't work, I'm lost... I've never fought that hard with dependencies. Could you hint me more on how to sort it out?

I tried ... but it doesn't work

I meant in the script. If you want to fix it in that build, I think you should there add an explicit dependency on

kotlinx-io-core

. Because currently you have for the 0.6.0

action-updates-checker
 -> github-workflows-kt 
  -> shared-internal 
   -> io.ktor:ktor-client-core 
    -> io.ktor:ktor-client-core-jvm 
     -> io.ktor:ktor-http 
      -> io.ktor:ktor-http-jvm 
       -> io.ktor:ktor-utils 
        -> io.ktor:ktor-utils-jvm 
         -> io.ktor:ktor-io 
          -> io.ktor:ktor-io-jvm 
           -> org.jetbrains.kotlinx:kotlinx-io-core:0.6.0 
            -> org.jetbrains.kotlinx:kotlinx-io-core-jvm:0.6.0

and for the 0.4.0

action-updates-checker
 -> github-workflows-kt
  -> shared-internal
   -> io.ktor:ktor-serialization-kotlinx-json
    -> io.ktor:ktor-serialization-kotlinx-json-jvm
     -> org.jetbrains.kotlinx:kotlinx-serialization-json-io
      -> org.jetbrains.kotlinx:kotlinx-serialization-json-io-jvm
       -> org.jetbrains.kotlinx:kotlinx-io-core:0.4.0
        -> org.jetbrains.kotlinx:kotlinx-io-core-jvm:0.4.0

so the path to the 0.4.0 is shorter and thus wins following the non-sense Maven logic while Gradle does proper conflict resolution and uses the newer. So to tame the aether resolver, you have to provide a shorter path for 0.6.0. As the common hook-point is

shared-internal

, I'd say you should there add a

runtimeOnly

dependency on 0.6.0, then the path to it is shorter than to the 0.4.0 and Aether should use that.

works, thanks! as a side effort: [Kotlin/kotlinx.serialization] Bump kotlinx-io to 0.6.0