2.4.0 Is bringing some different dependencies in the class path and cause the build to fail

[Jonatha1983]

What happened?

Hi

I have created this repo in which the issue is reproducible.

Basically with 2.3.0 things work and with 2.4.0 I am getting:

'org.apache.commons.compress.archivers.tar.TarArchiveEntry org.apache.commons.compress.archivers.tar.TarArchiveInputStream.getNextEntry()'

after a short investigation, I saw that the plugin structure is bringing a different Apache-commons-compress dependency, and it caused the error since another plugin expects the public one. The versions are the same, but the dependencies are not:

Relevant log output or stack trace

Steps to reproduce

Run this repo:
https://github.com/Jonatha1983/240-dependencies-bug

Gradle IntelliJ Plugin version

2.4.0

Gradle version

8.13

Operating System

None

Link to build, i.e. failing GitHub Action job

https://github.com/Jonatha1983/240-dependencies-bug

[AB-xdev]

We have the same problem, noticed it when running in combination with Sonar. However it only seems to happen when the OS is Linux?

Here's the log:
https://github.com/xdev-software/intellij-plugin-save-actions/actions/runs/13989338199/job/39169567841

[hsz]

Given that two different Gradle plugins require a dependency in two different versions in a single build classpath, I'm not entirely sure how to correctly address that.

[AB-xdev]

Given that two different Gradle plugins require a dependency in two different versions in a single build classpath, I'm not entirely sure how to correctly address that.

So the first thing would be to find out where the broken class is coming from because when I list the plugin dependency versions everything is fine:

> Task :buildEnvironment
...

classpath
+--- org.jetbrains.intellij.platform:org.jetbrains.intellij.platform.gradle.plugin:2.4.0
|    \--- org.jetbrains.intellij.platform:intellij-platform-gradle-plugin:2.4.0
...
|         +--- org.jetbrains.intellij.plugins:structure-base:3.300
...
|         |    +--- org.apache.commons:commons-compress:1.27.1 <--
|         |    |    +--- commons-codec:commons-codec:1.17.1
...
\--- org.sonarqube:org.sonarqube.gradle.plugin:6.0.1.5171
     \--- org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:6.0.1.5171
          \--- org.sonarsource.scanner.lib:sonar-scanner-java-library:3.1.1.261
               ...
               +--- org.apache.commons:commons-compress:1.27.1 (*) <--
               ...
(*) - Indicates repeated occurrences of a transitive dependency subtree. Gradle expands transitive dependency subtrees only once per project; repeat occurrences only display the root of the subtree, followed by this annotation.

Both plugins use the lastest version 1.27.1.

However when you now build on Linux it looks like another dependency is added from somewhere (however I cannot determine this exactly as I'm using Windows and only our CI uses Linux).
Maybe from the IDE itself? (Changelog says "Load the com.intellij module by default when creating the IntelliJ Platform dependency")

Another question should be why you now need so many dependencies in the first place.
Gradle reports 0 dependencies for 2.3.0, whilst 2.4.0 has 100+ (including transitive ones)

---

Update: I think I found the problem.

Something is seriously wrong with how the intellij-platform-gradle-plugin.jar is shaded.
It declares org.apache.commons:commons-compress:1.27.1 as a dependency (as seen above), but a different variant of the classes from that dependency seems to be also present on the classpath inside the plugin jar!

The original class from commons-compress-1.27.1 looks like this:

javap -c -classpath commons-compress-1.27.1.jar org.apache.commons.compress.archivers.tar.TarArchiveInputStream
Compiled from "TarArchiveInputStream.java"
public class org.apache.commons.compress.archivers.tar.TarArchiveInputStream extends 
org.apache.commons.compress.archivers.ArchiveInputStream<org.apache.commons.compress.archivers.tar.TarArchiveEntry> {
...

However intellij-platform-gradle-plugin-2.4.0.jar brings one that has no GenericParameter???

javap -c -classpath intellij-platform-gradle-plugin-2.4.0.jar org.apache.commons.compress.archivers.tar.TarArchiveInputStream
Compiled from "TarArchiveInputStream.java"
public class org.apache.commons.compress.archivers.tar.TarArchiveInputStream extends 
org.apache.commons.compress.archivers.ArchiveInputStream {
...

The problem is likely not just commons-compress and also affects other dependencies.

[AB-xdev]

Fun Fact: The same problem seems to be present since 2.2.0 (likely caused by b2e1fd8).
However it was not noticed as TarArchiveInputStream is missing:

I highly recommend that you do not shade these dependencies into the jar and if you do so use a dedicated package so that they don't overlap with the actual dependencies.

[hsz]

Thank you for the investigation, @AB-xdev!

The current state of the IntelliJ Platform Gradle Plugin is that I have the JPS Model transitive dependencies present in place, which come from the Plugin Verifier's structure libraries. Unfortunately, they're available only in the custom non-MavenCentral repositories, and it's not possible for users using this Gradle plugin to add required repositories to their setup.

Bundling them is required for now, but eventually, PV should get rid of them (or at least publish all required pieces to MavenCentral).