Document transitive dependency exclusion

[ennru]

Users of this library would normally want to exclude the unused HTTP client libraries brought in by the AWS SDK so they don't interfere with anything.

This should work, right?

"software.amazon.awssdk" % "sns" % AwsSdk2Version excludeAll (
          ExclusionRule("software.amazon.awssdk", "netty-nio-client"),
          ExclusionRule(organization = "io.netty"),
          ExclusionRule("org.apache.httpcomponents", "httpclient")
),

[matsluni]

This looks good to me.

In the build.sbt (in this repo) I exclude netty-nio-client (in the test dependencies), because of how Service Loading works for the AWS (async) clients. Otherwise you need to explicitly declare which implementation to use as the underlying http provider for the aws client.

I have not excluded "org.apache.httpcomponents", "httpclient". This would be for a cleaner Classpath I guess?!

I had a quick look in my local Classpath and did a quick test. For me it even works to exclude "software.amazon.awssdk", "apache-client". This will get rid of some more (I guess) unnecessary dependencies. I haven't checked in Alpakka though.

[ennru]

Great, excluding the apache-client makes it even slimmer. As a library provider you need to be very strict with pulling in dependencies, especially widely used once may interfere with other user code.

In Alpakka I go with this now:

        "software.amazon.awssdk" % "sns" % AwsSdk2Version excludeAll // ApacheV2
        (
          ExclusionRule("software.amazon.awssdk", "apache-client"),
          ExclusionRule("software.amazon.awssdk", "netty-nio-client")
        ),
        // overriding AWS SDK version to avoid https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086
        "com.fasterxml.jackson.core" % "jackson-databind" % "2.9.9",

[matsluni]

Yes, I understand this! 👍

Can the issue be closed?

[ennru]

I thought it might be an idea to add this information to the readme of this project.

[matsluni]

Yes, you are right. This is a good idea. As soon as you depend on a specific service (s3, sqs), you potentially have this issue, which you can run into.

[matsluni]

@ennru, do you want to add something or is it what you had expected?

[ennru]

All users will want to exclude "software.amazon.awssdk", "apache-client", right?
You choose this library to use Akka HTTP instead.

[matsluni]

Yes, I think users can also exclude "software.amazon.awssdk", "apache-client", but this is more optional I would think. Whereas the included Netty client can cause trouble as both (Netty and Akka-http) are implementations for the async http client.

I can put it as an additional optional step to further trim the class path.

[matsluni]

@ennru, I added an additional section. Can you check 3051fbe?

[ennru]

Sure, that's great.