Bump okhttp version to 4.11.0

[bessbd]

The version of okhttp that we currently have hides HTTP early-termination-followed responses from the server. square/okhttp#6295 fixes this issue. To have the fix in cloudant-java-sdk, okhttp needs to be updated once the fix is available in a new okhttp version.

See related cloudant/java-cloudant#317

[ricellis]

Frustratingly the 4.10.0-RC1 has magically transformed into a 5.0.0-alpha.1 - the knock-on effect being that we will no longer be able to take the update without core changes to accommodate whatever breaking changes get rolled into the okhttp 5.x stream.

[ricellis]

Note this change is not included in 4.9.2 #178

[ricellis]

It appears also not to be included in 4.9.3 #201

[ricellis]

Update from OkHttp folks: square/okhttp#6295 (comment)

[barvek]

Hello, it looks like cloudant 0.2.0 is vulnerable and when the package is pulled using maven, the okhttp which is pulled in is always 4.9.3. When can we see it pulling 4.10.0?

[ricellis]

The original ticket here is for pulling a specific change which is was orignally going to be in a different OkHttp version (but is now slated for the 5.x stream) - I've updated the title to make that more clear.

@barvek - our dependency requirement for 0.2.0 is asking for OkHttp@4.10.0 and the sdk-core@9.17.3 which in turn also asks for OkHttp@4.10.0. Not sure why you're getting an older version, perhaps some other dependency requirement somewhere is pegging it back or you need to clean some caches or something.

[eiri]

For what it worth I can't reproduce this on a fresh project.

$ gradle init --type java-application

Select build script DSL:
  1: Groovy
  2: Kotlin
Enter selection (default: Groovy) [1..2] 1

Generate build using new APIs and behavior (some features may change in the next minor release)? (default: no) [yes, no] no
Select test framework:
  1: JUnit 4
  2: TestNG
  3: Spock
  4: JUnit Jupiter
Enter selection (default: JUnit Jupiter) [1..4] 1

Project name (default: depcheck):
Source package (default: depcheck):

> Task :init
Get more help with your project: https://docs.gradle.org/7.3/samples/sample_building_java_applications.html

BUILD SUCCESSFUL in 12s
2 actionable tasks: 2 executed


$ ./gradlew --version

------------------------------------------------------------
Gradle 7.3
------------------------------------------------------------

Build time:   2021-11-09 20:40:36 UTC
Revision:     96754b8c44399658178a768ac764d727c2addb37

Kotlin:       1.5.31
Groovy:       3.0.9
Ant:          Apache Ant(TM) version 1.10.11 compiled on July 10 2021
JVM:          11.0.13 (Eclipse OpenJ9 openj9-0.29.0)

For build.gradle

plugins {
    id 'java'
    id 'application'
}

repositories {
    mavenCentral()
}

dependencies {
    implementation 'com.ibm.cloud:cloudant:0.2.+'
}

application {
    mainClassName = 'depcheck.App'
}

Running $ ./gradlew dependencies gives me

compileClasspath - Compile classpath for source set 'main'.
\--- com.ibm.cloud:cloudant:0.2.+ -> 0.2.0
     +--- com.ibm.cloud:cloudant-common:0.2.0
     |    \--- com.ibm.cloud:sdk-core:9.17.3
     |         +--- com.squareup.okhttp3:okhttp:4.10.0
     |         |    +--- com.squareup.okio:okio:3.0.0
     |         |    |    \--- com.squareup.okio:okio-jvm:3.0.0
     |         |    |         +--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.5.31 -> 1.6.21
     |         |    |         |    +--- org.jetbrains.kotlin:kotlin-stdlib:1.6.21
     |         |    |         |    |    +--- org.jetbrains.kotlin:kotlin-stdlib-common:1.6.21
     |         |    |         |    |    \--- org.jetbrains:annotations:13.0
     |         |    |         |    \--- org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.6.21
     |         |    |         |         \--- org.jetbrains.kotlin:kotlin-stdlib:1.6.21 (*)
     |         |    |         \--- org.jetbrains.kotlin:kotlin-stdlib-common:1.5.31 -> 1.6.21
     |         |    \--- org.jetbrains.kotlin:kotlin-stdlib:1.6.20 -> 1.6.21 (*)
     |         +--- com.squareup.okhttp3:logging-interceptor:4.10.0
     |         |    +--- com.squareup.okhttp3:okhttp:4.10.0 (*)
     |         |    \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.6.10 -> 1.6.21 (*)
     |         +--- com.squareup.okhttp3:okhttp-urlconnection:4.10.0
     |         |    +--- com.squareup.okhttp3:okhttp:4.10.0 (*)
     |         |    \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.6.10 -> 1.6.21 (*)
     |         +--- commons-codec:commons-codec:1.15
     |         +--- commons-io:commons-io:2.7
     |         +--- org.apache.commons:commons-lang3:3.8.1
     |         +--- com.google.guava:guava:30.1.1-jre
     |         |    +--- com.google.guava:failureaccess:1.0.1
     |         |    +--- com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
     |         |    +--- com.google.code.findbugs:jsr305:3.0.2
     |         |    +--- org.checkerframework:checker-qual:3.8.0
     |         |    +--- com.google.errorprone:error_prone_annotations:2.5.1
     |         |    \--- com.google.j2objc:j2objc-annotations:1.3
     |         +--- com.google.code.gson:gson:2.9.0
     |         +--- io.reactivex.rxjava2:rxjava:2.2.7
     |         |    \--- org.reactivestreams:reactive-streams:1.0.2
     |         +--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.6.21 (*)
     |         \--- org.jetbrains.kotlin:kotlin-stdlib:1.6.21 (*)
     +--- com.google.code.gson:gson:2.9.0
     \--- com.ibm.cloud:sdk-core:9.17.3 (*)

Core's fetching com.squareup.okhttp3:okhttp:4.10.0 as expected

[barvek]

I did clean the maven cache and getting the same old version of okhttp. I am not sure if you will get same result with maven.

 $ mvn -v
Apache Maven 3.8.1 (05c21c65bdfed0f71a2f2ada8b84da59348c4c5d)
Maven home: /usr/local/Cellar/maven/3.8.1/libexec
Java version: 11.0.13, vendor: Eclipse Adoptium, runtime: /Library/Java/JavaVirtualMachines/temurin-11.jdk/Contents/Home
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "12.5", arch: "x86_64", family: "mac"

$ mvn dependency:purge-local-repository
[INFO] Scanning for projects...
--------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:3.3.0:purge-local-repository (default-cli) @ marketplace ---
[INFO] Deleting 75 transitive dependencies for project marketplace from /Users/ketanbarve/.m2/repository with artifact version resolution fuzziness
[INFO] Re-resolving dependencies
:
:
Downloading from central: https://repo.maven.apache.org/maven2/com/squareup/okhttp3/okhttp/4.9.3/okhttp-4.9.3.pom
Downloaded from central: https://repo.maven.apache.org/maven2/com/squareup/okhttp3/okhttp/4.9.3/okhttp-4.9.3.pom (1.8 kB at 53 kB/s)
Downloading from central: https://repo.maven.apache.org/maven2/com/squareup/okhttp3/okhttp/4.9.3/okhttp-4.9.3.jar
Downloaded from central: https://repo.maven.apache.org/maven2/com/squareup/okhttp3/okhttp/4.9.3/okhttp-4.9.3.jar (792 kB at 7.9 MB/s)

$ mvn dependency:tree
+- com.ibm.cloud:cloudant:jar:0.2.0:compile
[INFO] |  +- com.ibm.cloud:cloudant-common:jar:0.2.0:compile
[INFO] |  +- com.google.code.gson:gson:jar:2.9.0:compile
[INFO] |  \- com.ibm.cloud:sdk-core:jar:9.17.3:compile
[INFO] |     +- com.squareup.okhttp3:logging-interceptor:jar:4.9.3:compile
[INFO] |     +- com.squareup.okhttp3:okhttp-urlconnection:jar:4.9.3:compile
[INFO] |     +- commons-codec:commons-codec:jar:1.15:compile
[INFO] |     +- commons-io:commons-io:jar:2.7:compile
[INFO] |     +- org.apache.commons:commons-lang3:jar:3.12.0:compile
[INFO] |     +- com.google.guava:guava:jar:30.1.1-jre:compile
[INFO] |     |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |     |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |     |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |     |  +- org.checkerframework:checker-qual:jar:3.8.0:compile
[INFO] |     |  +- com.google.errorprone:error_prone_annotations:jar:2.5.1:compile
[INFO] |     |  \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] |     +- io.reactivex.rxjava2:rxjava:jar:2.2.21:compile
[INFO] |     |  \- org.reactivestreams:reactive-streams:jar:1.0.4:compile
[INFO] |     \- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.6.21:compile
[INFO] |        \- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.6.21:compile

[eiri]

Yes, I'm getting the same result, i.e. correct dep tree, with maven on a fresh project

$ mvn -v
Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f)
Maven home: ...
Java version: 11.0.13, vendor: International Business Machines Corporation, runtime: .../java/semeru-openj9-11.0.13+8_openj9-0.29.0
Default locale: en_CA, platform encoding: UTF-8
OS name: "mac os x", version: "12.4", arch: "x86_64", family: "mac"

$ mvn archetype:generate -DgroupId=com.mycompany.app -DartifactId=my-app -DarchetypeArtifactId=maven-archetype-quickstart -DarchetypeVersion=1.4 -DinteractiveMode=false
[INFO] Scanning for projects...
...

Add dep in pom.xml

...
  <dependencies>
    <dependency>
      <groupId>junit</groupId>
      <artifactId>junit</artifactId>
      <version>4.11</version>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>com.ibm.cloud</groupId>
      <artifactId>cloudant</artifactId>
      <version>0.2.0</version>
    </dependency>
  </dependencies>
  ...

Run dep:tree

$  mvn dependency:tree
[INFO] Scanning for projects...
...
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ my-app ---
[INFO] com.mycompany.app:my-app:jar:1.0-SNAPSHOT
[INFO] +- junit:junit:jar:4.11:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] \- com.ibm.cloud:cloudant:jar:0.2.0:compile
[INFO]    +- com.ibm.cloud:cloudant-common:jar:0.2.0:compile
[INFO]    +- com.google.code.gson:gson:jar:2.9.0:compile
[INFO]    \- com.ibm.cloud:sdk-core:jar:9.17.3:compile
[INFO]       +- com.squareup.okhttp3:okhttp:jar:4.10.0:compile
[INFO]       |  \- com.squareup.okio:okio-jvm:jar:3.0.0:compile
[INFO]       +- com.squareup.okhttp3:logging-interceptor:jar:4.10.0:compile
[INFO]       +- com.squareup.okhttp3:okhttp-urlconnection:jar:4.10.0:compile
[INFO]       +- commons-codec:commons-codec:jar:1.15:compile
[INFO]       +- commons-io:commons-io:jar:2.7:compile
[INFO]       +- org.apache.commons:commons-lang3:jar:3.8.1:compile
[INFO]       +- com.google.guava:guava:jar:30.1.1-jre:compile
[INFO]       |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO]       |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO]       |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO]       |  +- org.checkerframework:checker-qual:jar:3.8.0:compile
[INFO]       |  +- com.google.errorprone:error_prone_annotations:jar:2.5.1:compile
[INFO]       |  \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO]       +- io.reactivex.rxjava2:rxjava:jar:2.2.7:compile
[INFO]       |  \- org.reactivestreams:reactive-streams:jar:1.0.2:compile
[INFO]       +- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.6.21:compile
[INFO]       |  \- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.6.21:compile
[INFO]       \- org.jetbrains.kotlin:kotlin-stdlib:jar:1.6.21:compile
[INFO]          +- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.6.21:compile
[INFO]          \- org.jetbrains:annotations:jar:13.0:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS

[ricellis]

Sadly still no non-experimental 5.x release of okhttp is available 5.0.0-alpha.11 is the latest.

[ricellis]

The okhttp folks have backported the fix for square/okhttp#1001 into 4.11.0 via square/okhttp#7453. We can close this out with okhttp 4.11.0 with #422