Fork me on GitHub
#tools-deps
<
2022-12-17
>
d._.b19:12:14

Moving from lein and one nagging question for me has been around global :exclusions . For an example of why I am wondering, see https://github.com/stuartsierra/log.dev/blob/master/project.clj.

d._.b19:12:12

I worry that specifying exclusions per-dep is going to get extremely wordy, and am interested in any ways to clean up the mess of ensuing :exclusions .

d._.b19:12:16

Maybe in tools.deps land this looks something like a processing step that programatically adds the exclusions per-dep?

d._.b19:12:13

I'm not really sure one way or the other, but I sure would like some top-level method of excluding logging junk!

Alex Miller (Clojure team)19:12:51

Right now, not much to help you, but has been requested several times. Can you add to https://ask.clojure.org ? I can’t immediately find it there

d._.b19:12:05

Sure thing.

seancorfield19:12:21

You will need exclusions a lot less, in my experience, because of the different algorithm for selecting versions of dependencies. tools.deps uses a much simpler and more obvious algorithm than lein. I found that that helped eliminate nearly all of the :exclusions that we used to need with Leiningen. But it does depend on why you are trying to exclude dependencies.

d._.b19:12:22

Any thoughts on this particular case (other logging libs and bridges)?

seancorfield19:12:36

We have not found we need that. We use log4j2 and clojure.tools.logging and have everything bridged to that, and have never had an issue with dependencies bringing in other bridge libraries.

d._.b19:12:03

yeah, taking a quick look at my current deps tree, not so bad, so perhaps my "omg im going to need to exclude so much logging junk" isn't as bad as I expected it might be.

d._.b19:12:13

still a relatively young project, so time will tell

d._.b19:12:24

clj-http bringing commons logging is currently the only one i spot

seancorfield19:12:25

I just looked. We have four exclusions across 174 deps.edn files in our 134Kloc codebase.

d._.b19:12:41

quasi-related question for you since you mention 174 files (that's a lot of files): do you do anything similar to lein's managed-dependencies?

d._.b19:12:51

thinking about things like jackson

seancorfield19:12:58

Two are logging related: one excludes slf4j-nop from build tooling, the other excludes log4j 1.x from an Authorize,Net dep.

seancorfield19:12:13

We have one exclusion of Cheshire in one place (because of Jackson issues).

seancorfield19:12:48

We keep our deps up to date by running antq regularly and tweaking things only as needed to suppress problematic deps. We also run clj-watson to check for CVEs and we address those as fast as we can.

d._.b19:12:05

my managed-dependencies question looks like there's a fair bit of prior discussion, so ill keep that out of this thread for now 🙂

seancorfield19:12:37

:override-deps and an alias should handle all of that 🙂

👍 1