The Problem: Auth Dependencies Are Managed Separately
Currently, the google-auth-library-java module manages its third-party dependencies (like Guava, Protobuf, Jackson, and JUnit) separately within its own local <properties> block. The rest of the monorepo manages identical dependencies inside gapic-generator-java-pom-parent.
This duplicates versions and increases the risk of dependency drift across the monorepo:
google-auth-library-java/pom.xmlsdk-platform-java/gapic-generator-java-pom-parent/pom.xml
Because com.google.auth and com.google.cloud deploy under different staging profiles on Maven Central, they are uploaded to separate staging repositories. If google-auth-library-java references unreleased in-development versions of com.google.cloud parent POMs or BOMs, a circular release staging deadlock is created at release time.
Proposed Solutions
Option 1: Extract Version Properties to google-cloud-shared-config
Move shared version properties (like <guava.version>) into the external parent POM com.google.cloud:google-cloud-shared-config from which both modules inherit.
- Pros:
- Single, definitive source of truth at the parent configuration level.
- Completely clean code structure with zero duplicate config.
- Cons:
- Rigid Release Pipeline: Upgrading a dependency (like an urgent security CVE patch) requires releasing a new version of
google-cloud-shared-config to Maven Central first, waiting for Central's CDN to sync, and then updating the parent references in both projects.
Option 2: Extract Versions to a Common Base BOM Module (in Monorepo)
Introduce a lightweight, internal BOM module (e.g., base-shared-dependencies) in this monorepo containing only the third-party library versions. Both the auth library and client library BOMs would import it.
- Pros:
- Prevents circular staging deadlocks by maintaining a strictly acyclic dependency graph.
- Single source of truth located directly within the same monorepo.
- Cons:
- Release Staging Delay: Due to staging profile boundaries, releases must be built sequentially (waiting for the base BOM to fully sync to Maven Central before releasing the auth library, and then repeating before client libraries can release).
Option 3: Keep It as It Is and Use Automation to Update
Keep the properties blocks isolated inside their respective directories, but coordinate updates strictly using Renovate Bot or other CI scripting to bump them in parallel.
- Pros:
- Maximum Autonomy: The auth team can delay upgrades to preserve legacy client compatibility (like Firebase/Android) without blocking the client libraries.
- Zero Release Bottlenecks: No sequential staging wait-times; both projects release in parallel.
- Cons:
- Relies on external tooling and automation scripts to maintain consistency; human error/drift is still possible if manually edited.
The Problem: Auth Dependencies Are Managed Separately
Currently, the
google-auth-library-javamodule manages its third-party dependencies (like Guava, Protobuf, Jackson, and JUnit) separately within its own local<properties>block. The rest of the monorepo manages identical dependencies insidegapic-generator-java-pom-parent.This duplicates versions and increases the risk of dependency drift across the monorepo:
google-auth-library-java/pom.xmlsdk-platform-java/gapic-generator-java-pom-parent/pom.xmlBecause
com.google.authandcom.google.clouddeploy under different staging profiles on Maven Central, they are uploaded to separate staging repositories. Ifgoogle-auth-library-javareferences unreleased in-development versions ofcom.google.cloudparent POMs or BOMs, a circular release staging deadlock is created at release time.Proposed Solutions
Option 1: Extract Version Properties to
google-cloud-shared-configMove shared version properties (like
<guava.version>) into the external parent POMcom.google.cloud:google-cloud-shared-configfrom which both modules inherit.google-cloud-shared-configto Maven Central first, waiting for Central's CDN to sync, and then updating the parent references in both projects.Option 2: Extract Versions to a Common Base BOM Module (in Monorepo)
Introduce a lightweight, internal BOM module (e.g.,
base-shared-dependencies) in this monorepo containing only the third-party library versions. Both the auth library and client library BOMs would import it.Option 3: Keep It as It Is and Use Automation to Update
Keep the properties blocks isolated inside their respective directories, but coordinate updates strictly using Renovate Bot or other CI scripting to bump them in parallel.