Archaius version update?

[samhendley]

Hystrix is still tied to version 0.4.1 of the archaius library. Can we update to a newer version? I only noticed because that version doesn't correctly expose it's dependencies. In particular it doesn't list commons-lang in its depdencies which gave me an unexpected runtime error (below).

[ERROR][scheduler-3][2014-04-29 08:26:01,901] org.springframework.scheduling.support.TaskUtils$LoggingErrorHandler.handleError(TaskUtils.java:95) - Unexpected error occurred in scheduled task.
java.lang.NoClassDefFoundError: org/apache/commons/lang/text/StrLookup
at com.netflix.config.ConfigurationManager.getConfigInstance(ConfigurationManager.java:125)
at com.netflix.config.DynamicPropertyFactory.getInstance(DynamicPropertyFactory.java:263)
at com.netflix.config.DynamicProperty.getInstance(DynamicProperty.java:245)
at com.netflix.config.PropertyWrapper.<init>(PropertyWrapper.java:58)
at com.netflix.hystrix.strategy.properties.HystrixPropertiesChainedArchaiusProperty$DynamicBooleanProperty.<init>(HystrixPropertiesChainedArchaiusProperty.java:300)
at com.netflix.hystrix.HystrixCommandProperties.getProperty(HystrixCommandProperties.java:384)
at com.netflix.hystrix.HystrixCommandProperties.<init>(HystrixCommandProperties.java:116)
at com.netflix.hystrix.HystrixCommandProperties.<init>(HystrixCommandProperties.java:110)

[benjchristensen]

Yes, we can update. I'd actually be interested in pulling it out as a dependency (and used as a plugin), but I don't know how to do so without it being a breaking change to anyone using Archaius and I don't want to do a 2.x for something like this.

[samhendley]

Well I don't think it's unreasnoble to do it in a "point revision" (0.15?). As long as it still pretty much works the way it did before I think a "you'll need to add this additional dependency and add this one line" level of breaking change is acceptable in a project this young. I wasn't suggesting that you try to rush anything for 0.14 but just something to watch out for. One other reason to update is that the 0.4.1 branch of Archaius project isn't visible on github as a tag or release which made debugging this issue more difficult.

If you don't update to a more recent Archaius version I would add commons-lang (needs to be atleast 2.2) to your dependencies so the next guy doesn't run into this issue on deployment. It's not the biggest deal since almost everyone has that on their path in most larger projects but as I accidently proved this morning it can happen.

[benjchristensen]

I'll explore my options and will try to get this changed in 1.4.x which hasn't released yet.

[benjchristensen]

I will update to 0.6.x if I don't move it completely to a plugin: https://github.com/Netflix/archaius/releases/tag/archaius-0.6.0

[benjchristensen]

Both 0.4.1 and 0.6.0 uses commons-configuration 1.8.
Worse, 0.6 adds Guava and Jackson ... so actually I don't really want to upgrade to 0.6.

http://search.maven.org/#artifactdetails%7Ccom.netflix.archaius%7Carchaius-core%7C0.4.1%7Cjar
http://search.maven.org/#artifactdetails%7Ccom.netflix.archaius%7Carchaius-core%7C0.6.0%7Cjar
https://github.com/Netflix/archaius/blob/master/build.gradle#L32

Unless Archaius goes on a diet I'm going to have to move it to a plugin ... which will be painful.

/cc @allenxwang

[benjchristensen]

@allenxwang Any chance of a version of Archaius without all these dependencies?

[mattrjacobs]

From looking at public interfaces which deal with configuration, I believe a 2.0 release will be required. I'll start outlining the required changes here.

[li-a]

archaius 0.4.1's dependency on commons-configuration 1.8 gets it flagged by some security scans because of its optional dependency on commons-collections 3.2.1, which has popular security vulnerabilities.

Seems like this will get resolved only in a 2.x, but there's so little movement on the project lately.. should I stop holding my breath?