Upgrade to 2.1.7 throws snakeyaml error

[ahalma]

My app works fine in Dropwizard 2.1.6.
But when I upgrade to Dropwizard 2.1.7 it throws the following error...

java.lang.NoSuchMethodError: 'void org.yaml.snakeyaml.parser.ParserImpl.<init>(org.yaml.snakeyaml.reader.StreamReader)'
	at com.fasterxml.jackson.dataformat.yaml.YAMLParser.<init>(YAMLParser.java:178)
	at com.fasterxml.jackson.dataformat.yaml.YAMLFactory._createParser(YAMLFactory.java:466)
	at com.fasterxml.jackson.dataformat.yaml.YAMLFactory.createParser(YAMLFactory.java:368)
	at com.fasterxml.jackson.dataformat.yaml.YAMLFactory.createParser(YAMLFactory.java:15)
	at io.dropwizard.configuration.BaseConfigurationFactory.createParser(BaseConfigurationFactory.java:113)
	at io.dropwizard.configuration.BaseConfigurationFactory.build(BaseConfigurationFactory.java:86)
	at io.dropwizard.cli.ConfiguredCommand.parseConfiguration(ConfiguredCommand.java:139)
	at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:85)
	at io.dropwizard.cli.Cli.run(Cli.java:78)
	at io.dropwizard.Application.run(Application.java:94)
	at org.example.abc.App.main(App.java:65)

Is there a way to resolve that?

[joschi]

This looks like your application is using an incompatible version of SnakeYAML and Jackson.

Dropwizard 2.1.7 comes with Jackson 2.13.5, which doesn't support SnakeYAML 2.x: https://github.com/dropwizard/dropwizard/blob/v2.1.7/dropwizard-dependencies/pom.xml#L39

This being said, you can use a more recent version of Jackson in your application that the one coming with Dropwizard 2.1.7 and use SnakeYAML 2.x.

[ron-ak-p]

I'm having the same issue.

SnakeYAML 2.x is actually a transitive dependency of Dropwizard; specifically, I see it in io.dropwizard:dropwizard-migrations, which has a dependency of org.liquibase:liquibase-core 4.22.0, which has a dependency of org.yaml:snakeyaml 2.0.

It turns out that this conflict in versions appears to have at least attempted to been addressed when you look at the Dropwizard BOM (io.dropwizard:dropwizard-dependencies 2.1.7):

            <dependency>
                <groupId>org.liquibase</groupId>
                <artifactId>liquibase-core</artifactId>
                <version>${liquibase-core.version}</version>
                <exclusions>
                    <exclusion>
                        <groupId>org.yaml</groupId>
                        <artifactId>snakeyaml</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>

So SnakeYAML should be excluded as a transitive dependency of org.liquibase:liquibase-core, but in practice, it is not.

What's even stranger is that when one generates a Maven dependency tree of io.dropwizard:dropwizard-migrations 2.1.7 directly, SnakeYAML 2.0 is excluded and instead the SnakeYAML dependency of Jackson is included, all as expected. Relevant snippets from dependency tree:

io.dropwizard:dropwizard-migrations:jar:2.1.7
+- io.dropwizard:dropwizard-core:jar:2.1.7:compile
...
|  +- io.dropwizard:dropwizard-configuration:jar:2.1.7:compile
|  |  \- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.13.5:compile
|  |     \- org.yaml:snakeyaml:jar:1.31:compile
...
+- org.liquibase:liquibase-core:jar:4.22.0:compile
|  +- com.opencsv:opencsv:jar:5.7.1:compile
|  +- org.apache.commons:commons-lang3:jar:3.12.0:compile
|  +- org.apache.commons:commons-text:jar:1.10.0:compile
|  \- org.apache.commons:commons-collections4:jar:4.4:compile
...

However, when one has io.dropwizard:dropwizard-migrations as a dependency in their project's pom.xml, then, for some reason, SnakeYAML 2.0 is included instead, which is not expected. I created a simple test pom.xml with just that as a dependency:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
	
    <groupId>com.thatsarap</groupId>
    <artifactId>test-exclude</artifactId>
    <version>0.0.1</version>
    <packaging>jar</packaging>

    <dependencies>
        <dependency>
            <groupId>io.dropwizard</groupId>
            <artifactId>dropwizard-migrations</artifactId>
            <version>2.1.7</version>
        </dependency>
    </dependencies>
</project>

And generated a Maven dependency tree of it, which shows the difference and the issue:

com.thatsarap:test-exclude:jar:0.0.1
\- io.dropwizard:dropwizard-migrations:jar:2.1.7:compile
   +- io.dropwizard:dropwizard-core:jar:2.1.7:compile
...
   |  +- io.dropwizard:dropwizard-configuration:jar:2.1.7:compile
   |  |  \- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.13.5:compile
...
   +- org.liquibase:liquibase-core:jar:4.22.0:compile
   |  +- com.opencsv:opencsv:jar:5.7.1:compile
   |  +- org.apache.commons:commons-lang3:jar:3.12.0:compile
   |  +- org.apache.commons:commons-text:jar:1.10.0:compile
   |  +- org.apache.commons:commons-collections4:jar:4.4:compile
   |  \- org.yaml:snakeyaml:jar:2.0:compile
...

Is this a bug in Maven or what am I a missing here?

[aceArt-GmbH]

thanks @ron-ak-p
Adding

<exclusions>
	<exclusion>
		<groupId>org.yaml</groupId>
		<artifactId>snakeyaml</artifactId>
	</exclusion>
</exclusions>

to dropwizard-migrations seems to be a viable workaround

[ahalma]

@aceArt-GmbH , confirmed!

[zUniQueX]

Hi @ron-ak-p

It turns out that this conflict in versions appears to have at least attempted to been addressed when you look at the Dropwizard BOM (io.dropwizard:dropwizard-dependencies 2.1.7):

Maven currently doesn't support exclusions in the import scope. So the exclusion won't work there.

Is this a bug in Maven or what am I a missing here?

The cause of the behavior can be seen when building the effective POMs. (This can be done with the command mvn help:effective-pom). When running the command in the dropwizard-migrations project, the transitive parent dropwizard-dependencies gets recognized and all the declarations of the dependencyManagement section get copied into the effective pom.

If you're using the dropwizard-bom instead of dropwizard-dependencies in your project, then your project is missing the dependencyManagement section with the artifact exclusions of dropwizard-dependencies. That results in using the Maven default dependency resolution mechanism. This strategy uses the 'nearest definition' of each artifact. Since the snakeyaml artifact in dropwizard-core is nested more times than in liquibase-core, the dependency from liquibase-core gets used.

If you use the dropwizard-dependencies module to manage your dropwizard dependencies, this problem wouldn't affect you because then the exclusion would work and exclude the artifact from liquibase-core.

That being said, I don't think we should add an exclusion in the dropwizard-migrations module. If other users specify their changelogs in YAML files, excluding the correct snakeyaml dependency will probably break something for them.

[github-actions]

This issue is stale because it has been open 90 days with no activity.
Remove the "stale" label or comment or this will be closed in 14 days.