Release a new version of gson-extras #2807

eamonnmcmanus · 2025-02-05T01:15:51Z

I have been operating under the assumption that the extras project had no Maven Central artifacts, but that's not true! We have com.google.code.gson:gson-extras, last released in 2018. Not much has happened since, but there is at least a change to RuntimeTypeAdapterFactory to give it a recognizeSubtypes() method. The existing artifact also has a CVE logged against it, and even though that is actually not a security problem at all, it would be nicer for it not to be there.

I tried releasing a new version with the existing configuration, but it didn't work. It got as far as making a git tag and everything, but then said:

[INFO] [INFO] --- maven-deploy-plugin:3.1.3:deploy (default-deploy) @ gson-extras ---
[INFO] [INFO] Skipping artifact deployment

I'm sure there's some refinement needed to extras/pom.xml, probably similar to what's in gson/pom.xml.

We should also correct this statement in the README:

The artifacts created by this module are currently not deployed to Maven Central.

(It's technically correct, I suppose, since it says that "are currently not deployed", not that they never have been deployed.)

The text was updated successfully, but these errors were encountered:

Marcono1234 · 2025-02-06T21:01:13Z

Related / similar previous issues (also give some explanation why it was not published yet):

Maybe blocked by #2042
We could probably solve this by adding a module-info to gson-extras as well, and then in gson's module-info export those packages to gson-extras only.

I tried releasing a new version with the existing configuration, but it didn't work. It got as far as making a git tag and everything, but then said [...]

Probably due to this in pom.xml:

gson/extras/pom.xml

Line 37 in 528fd31

<gson.isInternalModule>true</gson.isInternalModule>

extras project had no Maven Central artifacts, but that's not true! We have com.google.code.gson:gson-extras, last released in 2018

https://mvnrepository.com (which is not the official Maven Central web interface) also lists third-party repositories. It seems gson-extras was deployed to the repository of CronApp (by them probably), but not to Maven Central.

So if we were to release gson-extras to Maven Central it would be the first public release. Maybe we should first go through the API and implementation to make sure there are no obvious issues (e.g. leaking implementation details in API, ...) because afterwards it might be difficult to fix this without breaking backward compatibility. Technically even now it could break backward compatibility in case users have copied the gson-extras code to their projects, but maybe the risk for that is lower (and in the worst case they could keep using their local copy).

eamonnmcmanus · 2025-02-06T23:20:23Z

I guess I should have researched this a bit more carefully. It's just as well my attempt to deploy failed. :-)
I'm thinking it might nevertheless make sense to release extras, but I agree that we should look at the APIs a bit more carefully first.
FWIW extras is available to Google-internal code, but has relatively few users.
One possible motivation would be as a place to house adapters for Guava immutable collections. Internally, we have a number of places where people are implicitly relying on the bugs that would be fixed by #2068. I've mostly corrected those places with a GuavaCollectionsTypeAdapterFactory, which could go in extras and have a possibly-optional dependency on Guava.

eamonnmcmanus added Priority-Low Type-Task labels Feb 5, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Release a new version of gson-extras #2807

Release a new version of gson-extras #2807

Uh oh!

Uh oh!

Release a new version of gson-extras #2807

Release a new version of gson-extras #2807

Comments

Uh oh!

Uh oh!