Synchronize Dependencies with BOM

Posted by Benoît Quenaudon on April 12, 2022

Gradle provides support for importing bill of materials (BOM) files. When a BOM is passed to a Platform dependency, Gradle will make sure that the project will depend on the same version for all modules of the same library. This recently helped us fix an upgrade problem where there had been version skew and a breaking change across dependencies on different modules of the same library.

Without BOM

At Cash App, we have a lot of services depending on each other and when we decided to bump the version of Wire from 4.1.1 to 4.2.0, we started getting a lot of CI build failures, and even worse, runtime crashes from breaking changes in Wire’s API.
As an example, here is what Wire’s version definition looked like for Wire in one of our service:

val wireGrpcClient = "com.squareup.wire:wire-grpc-client:4.2.0"
val wireRuntime = "com.squareup.wire:wire-runtime:4.2.0"

We explicitly declare 2 dependencies on Wire. However, we discovered that we transitively depend on more Wire modules. We are able to diagnose this with the gradle my-module:dependencies command.

Here is what a sample result would look like:

$ ./gradlew my-module:dependencies
   ....
|    \--- com.squareup.wire:wire-runtime-jvm:4.2.0
|  ....
|    +--- com.squareup.wire:wire-compiler:4.1.0
|    +--- com.squareup.wire:wire-grpc-client:4.0.1 -> 4.2.0 (*)
|    |    +--- com.squareup.wire:wire-runtime:4.0.1 -> 4.2.0 (*)

We can see that we have a transitive dependency to wire-compiler, and some artifacts are resolved on version 4.1.0 while others are on 4.2.0. That’s a problem! Because of a backward incompatibility change in Wire, we’d get errors when one service depended on a second service which transitively depended on other modules of Wire. We would also get into troubles in reverse where a service using Wire 4.1.0 would depend on another one which already upgraded its dependency on Wire to 4.2.0.
We have more than a hundred of those services so this made the upgrade very difficult.

With BOM

Wire started publishing a BOM file and we were then able to benefit from it. Here is what version definition looks like when we use the BOM:

val wireBom = "com.squareup.wire:wire-bom:4.2.0"
val wireGrpcClient = "com.squareup.wire:wire-grpc-client"
val wireRuntime = "com.squareup.wire:wire-runtime"

We now have a unique source of truth for the Wire version. We can use it to synchronize what version all dependencies to Wire will be. To do so, the BOM dependency needs to be passed to all places declaring a dependency on Wire to take effect.

 dependencies {
+  implementation(platform(libs.wireBom))
   implementation(libs.wireRuntime)
 }

or for instance, like so if you’re using the Wire Gradle plugin.

 dependencies {
+  classpath(platform(libs.wireBom))
   classpath(libs.wireGradlePlugin)
 }

Publishing BOM files

If your library publishes multiple modules, you can help your users managing its dependencies by publishing a BOM file. This is done with a single file defining its dependency constraints.
Here is how it looks for Wire:

dependencies {
  constraints {
    api(project(":wire-compiler"))
    api(project(":wire-gradle-plugin"))
    api(project(":wire-grpc-client"))
    api(project(":wire-grpc-server"))
    api(project(":wire-grpc-server-generator"))
    api(project(":wire-grpc-mockwebserver"))
    api(project(":wire-gson-support"))
    api(project(":wire-java-generator"))
    api(project(":wire-kotlin-generator"))
    api(project(":wire-moshi-adapter"))
    api(project(":wire-profiles"))
    api(project(":wire-reflector"))
    api(project(":wire-runtime"))
    api(project(":wire-schema"))
    api(project(":wire-swift-generator"))
  }
}

This file is published in its own module com.squareup.wire:wire-bom for users to consume.

BOM

Cash App now publishes BOM files for Okio, OkHttp, and Wire. To avoid having to manually add a platform dependency on every call sites, as well so that we don’t forget to add it for future ones, we wrote a small snippet which we use in our projects so that platform definitions are automatically added when needed. This also covers dependencies getting pulled in transitively.

allprojects {
  configurations.all {
    dependencies.all {
      val bom = when (group) {
        "com.squareup.okio" -> Dependencies.okioBom
        "com.squareup.okhttp" -> Dependencies.okhttpBom
        "com.squareup.wire" -> Dependencies.wireBom
        else -> return@all
      }
      dependencies.add(project.dependencies.platform(bom))
    }
  }
}

Update 2023.05.12

When upgrading the Gradle plugin, this snippet started throwing exceptions such as java.util.ConcurrentModificationException. Here’s a new snippet we started to use to work around that:

allprojects {
  configurations.all {
    withDependencies {
      if (any { it.group == "com.squareup.okio" }) {
        add(project.dependencies.platform(Dependencies.okioBom))
      }
      if (any { it.group == "com.squareup.okhttp" }) {
        add(project.dependencies.platform(Dependencies.okhttpBom))
      }
      if (any { it.group == "com.squareup.wire" }) {
        add(project.dependencies.platform(Dependencies.wireBom))
      }
    }
  }
}

BOM files are great; let’s use them!

← →