Is there any difference in dependency resolution mechanism
when having dependencies declared directly in myapp/deps.edn
vs in another module common/deps.edn, where common is used via :local/root?
In particular, when there are transitive dependencies that are used by a dependency that used to be in myapp/deps.edn but is now in common/deps.edn.
I'm facing this particular problem with bouncycastle and buddy
Exception in thread "main" Syntax error macroexpanding at (buddy/core/keys/jwk/eddsa.clj:1:1).
...
Caused by: java.lang.SecurityException: class "org.bouncycastle.crypto.params.Ed25519PrivateKeyParameters"'s signer information does not match signer information of other classes in the same package
Dependency tree of myapp:
• NOTE buddy-core used to be in myapp/deps.edn but it's now in common/deps.edn
clj -Stree
...
com.atlassian.jwt/jwt-core 3.2.1
...
X commons-codec/commons-codec 1.4 :use-top
. org.bouncycastle/bcprov-jdk15on 1.60
. org.bouncycastle/bcpkix-jdk15on 1.60
. org.bouncycastle/bcprov-jdk15on 1.60
...
buddy/buddy-hashers 2.0.167
. buddy/buddy-core 1.11.423
X commons-codec/commons-codec 1.16.0 :use-top
. org.bouncycastle/bcpkix-jdk18on 1.75
. org.bouncycastle/bcprov-jdk18on 1.75
. org.bouncycastle/bcutil-jdk18on 1.75
. org.bouncycastle/bcprov-jdk18on 1.75
. org.bouncycastle/bcprov-jdk18on 1.75
...
Dep versions at the top level are always used. Versions below top level are subject to version selection based on the overall tree
But there is nothing special about local dep resolution of transitive deps
What is the actual problem?
My problem is that after I moved the buddy-core dependency from myapp/deps.edn to common/deps.edn and started myapp , I'm seeing the exception above. I'm assuming because of incorrect bouncycastle version on the classpath.
There are two sets of bc deps above - they have different names so no version selection is being done. Classpath ordering sorts by distance from root, then alpha. If you moved “down” level in the tree then you’ve changed the effective ordering of the two sets. But really you probably should only have one of those sets and you you should exclude the other, I suspect they have similar sets of classes