fix: do not leak internally used dependencies to actual apps, not even as optionals (#23011)

mstahv · vaadin-bot · commit f5ac9ef3b8f3 · 2026-01-09T08:25:24.000Z
Uses shade plugin to pull in some transitive dependencies to internal "flow-build-util" module. Although they are not ending up to the actual production artifact, they lower the DX as in IDE it may appear one has them evailable. Fixes #23007
diff --git a/flow-build-tools/pom.xml b/flow-build-tools/pom.xml
@@ -10,6 +10,10 @@
   <packaging>jar</packaging>
   <name>Flow Frontend Build Tools</name>
   <description>A module to handle frontend build tools common to the plugins and dev server</description>
+  <properties>
+    <!-- It appears that sonar does not like shade plugin -->
+    <sonar.skip>true</sonar.skip>
+  </properties>
 
   <dependencies>
 
@@ -38,4 +42,97 @@
 
   </dependencies>
 
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-shade-plugin</artifactId>
+        <version>3.6.1</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>shade</goal>
+            </goals>
+            <phase>package</phase>
+            <configuration>
+              <shadedArtifactAttached>true</shadedArtifactAttached>
+              <shadedClassifierName>shaded</shadedClassifierName>
+              <createDependencyReducedPom>true</createDependencyReducedPom>
+              <dependencyReducedPomLocation>${project.build.directory}/dependency-reduced-pom.xml</dependencyReducedPomLocation>
+              <artifactSet>
+                <includes>
+                  <include>org.apache.commons:commons-compress</include>
+                  <include>commons-io:commons-io</include>
+                  <include>commons-codec:commons-codec</include>
+                  <include>org.apache.commons:commons-lang3</include>
+                </includes>
+              </artifactSet>
+              <relocations>
+                <relocation>
+                  <pattern>org.apache.commons.compress</pattern>
+                  <shadedPattern>com.vaadin.frontendtools.internal.commons.compress</shadedPattern>
+                </relocation>
+                <relocation>
+                  <pattern>org.apache.commons.io</pattern>
+                  <shadedPattern>com.vaadin.frontendtools.internal.commons.io</shadedPattern>
+                </relocation>
+                <relocation>
+                  <pattern>org.apache.commons.codec</pattern>
+                  <shadedPattern>com.vaadin.frontendtools.internal.commons.codec</shadedPattern>
+                </relocation>
+                <relocation>
+                  <pattern>org.apache.commons.lang3</pattern>
+                  <shadedPattern>com.vaadin.frontendtools.internal.commons.lang3</shadedPattern>
+                </relocation>
+              </relocations>
+              <filters>
+                <filter>
+                  <artifact>*:*</artifact>
+                  <excludes>
+                    <!-- Security signatures -->
+                    <exclude>META-INF/*.SF</exclude>
+                    <exclude>META-INF/*.DSA</exclude>
+                    <exclude>META-INF/*.RSA</exclude>
+                    <exclude>META-INF/SIG-*</exclude>
+                    <!-- Duplicate licenses -->
+                    <exclude>META-INF/LICENSE*</exclude>
+                    <exclude>META-INF/NOTICE*</exclude>
+                    <exclude>META-INF/DEPENDENCIES</exclude>
+                    <!-- Module info -->
+                    <exclude>module-info.class</exclude>
+                    <!-- Multi-Release JAR files -->
+                    <exclude>META-INF/versions/**</exclude>
+                    <!-- GraalVM native-image configs (reference unshaded class names) -->
+                    <exclude>META-INF/native-image/**</exclude>
+                    <!-- Dependency Maven metadata -->
+                    <exclude>META-INF/maven/**</exclude>
+                  </excludes>
+                </filter>
+                <filter>
+                  <!-- Exclude compressors with optional dependencies we don't need -->
+                  <artifact>org.apache.commons:commons-compress</artifact>
+                  <excludes>
+                    <exclude>org/apache/commons/compress/compressors/xz/**</exclude>
+                    <exclude>org/apache/commons/compress/compressors/lzma/**</exclude>
+                    <exclude>org/apache/commons/compress/compressors/brotli/**</exclude>
+                    <exclude>org/apache/commons/compress/compressors/zstandard/**</exclude>
+                    <exclude>org/apache/commons/compress/compressors/snappy/**</exclude>
+                    <exclude>org/apache/commons/compress/compressors/lz4/**</exclude>
+                    <exclude>org/apache/commons/compress/archivers/sevenz/**</exclude>
+                  </excludes>
+                </filter>
+              </filters>
+              <transformers>
+                <!-- Merge SPI service files -->
+                <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer"/>
+                <!-- Handle Apache license files -->
+                <transformer implementation="org.apache.maven.plugins.shade.resource.ApacheLicenseResourceTransformer"/>
+              </transformers>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+    </plugins>
+  </build>
+
 </project>
diff --git a/flow-client/pom.xml b/flow-client/pom.xml
@@ -169,6 +169,17 @@
       <scope>test</scope>
     </dependency>
 
+    <dependency>
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+      <scope>test</scope>
+    </dependency>
+
   </dependencies>
 
   <build>
diff --git a/flow-data/pom.xml b/flow-data/pom.xml
@@ -42,6 +42,11 @@
       <scope>provided</scope>
     </dependency>
 
+    <dependency>
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>
diff --git a/flow-plugins/flow-plugin-base/pom.xml b/flow-plugins/flow-plugin-base/pom.xml
@@ -23,6 +23,7 @@
       <groupId>com.vaadin</groupId>
       <artifactId>flow-build-tools</artifactId>
       <version>${project.version}</version>
+      <classifier>shaded</classifier>
     </dependency>
     <dependency>
       <groupId>com.vaadin</groupId>
diff --git a/flow-server/pom.xml b/flow-server/pom.xml
@@ -19,6 +19,7 @@
       <groupId>com.vaadin</groupId>
       <artifactId>flow-build-tools</artifactId>
       <version>${project.version}</version>
+      <classifier>shaded</classifier>
       <!-- Note, ideally vaadin-server should not depend this module at all
            and development time tooling shared with plugins should end up here.
            Temporarily build this way so that commons-compress can be ditched
@@ -91,6 +92,12 @@
       <artifactId>commons-io</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-compress</artifactId>
+      <version>1.28.0</version>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>tools.jackson.core</groupId>
       <artifactId>jackson-core</artifactId>
diff --git a/flow-server/src/test/java/com/vaadin/flow/server/startup/ServletContainerInitializerTest.java b/flow-server/src/test/java/com/vaadin/flow/server/startup/ServletContainerInitializerTest.java
@@ -149,7 +149,9 @@ && isBadSubType(clazz)) {
 
     private Stream<String> getExcludedPatterns() {
         return Stream.of("com\\.vaadin\\.flow\\..*osgi\\..*",
-                "com\\.vaadin\\.flow\\.server\\.startup\\.LookupInitializer\\$OsgiLookupImpl");
+                "com\\.vaadin\\.flow\\.server\\.startup\\.LookupInitializer\\$OsgiLookupImpl",
+                // Shaded third-party libraries
+                "com\\.vaadin\\.frontendtools\\.internal\\..*");
     }
 
     private boolean isBadSubType(Class<?> clazz) {
diff --git a/flow-test-generic/src/main/java/com/vaadin/flow/testutil/ClassesSerializableTest.java b/flow-test-generic/src/main/java/com/vaadin/flow/testutil/ClassesSerializableTest.java
@@ -60,6 +60,8 @@ public abstract class ClassesSerializableTest extends ClassFinder {
     @SuppressWarnings("WeakerAccess")
     protected Stream<String> getExcludedPatterns() {
         return Stream.of(
+                // Shaded third-party libraries
+                "com\\.vaadin\\.frontendtools\\.internal\\..*",
                 "com\\.vaadin\\.frontendtools\\.installer\\.DefaultArchiveExtractor",
                 "com\\.vaadin\\.frontendtools\\.installer\\.ArchiveExtractor",
                 "com\\.vaadin\\.flow\\.data\\.validator\\.BeanValidator\\$LazyFactoryInitializer",
diff --git a/flow-tests/pom.xml b/flow-tests/pom.xml
@@ -80,6 +80,16 @@
       <version>${project.version}</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.slf4j</groupId>
       <artifactId>slf4j-simple</artifactId>
diff --git a/flow-tests/test-live-reload/pom.xml b/flow-tests/test-live-reload/pom.xml
@@ -41,6 +41,10 @@
       <artifactId>flow-test-lumo</artifactId>
       <version>${project.version}</version>
     </dependency>
+    <dependency>
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+    </dependency>
   </dependencies>
 
   <build>
diff --git a/flow-tests/test-root-context/pom.xml b/flow-tests/test-root-context/pom.xml
@@ -54,6 +54,10 @@
       <version>${project.version}</version>
     </dependency>
 
+    <dependency>
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>
diff --git a/flow-tests/vaadin-spring-tests/pom.xml b/flow-tests/vaadin-spring-tests/pom.xml
@@ -129,6 +129,15 @@
       <artifactId>jakarta.websocket-client-api</artifactId>
     </dependency>
 
+    <dependency>
+      <!-- Not directly used, but something in the depths of spring/swagger
+               is using StringUtils, and we have probably excluded that in some
+               of our test build configs -->
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+      <version>3.20.0</version>
+    </dependency>
+
     <dependency>
       <groupId>org.apache.httpcomponents.client5</groupId>
       <artifactId>httpclient5</artifactId>
diff --git a/flow-tests/vaadin-spring-tests/test-spring-boot-multimodule-reload-time/generator/pom.xml b/flow-tests/vaadin-spring-tests/test-spring-boot-multimodule-reload-time/generator/pom.xml
@@ -49,6 +49,10 @@
       <groupId>org.springframework</groupId>
       <artifactId>spring-context</artifactId>
     </dependency>
+    <dependency>
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+    </dependency>
   </dependencies>
 
   <build>
diff --git a/vaadin-dev-server/pom.xml b/vaadin-dev-server/pom.xml
@@ -32,6 +32,7 @@
       <groupId>com.vaadin</groupId>
       <artifactId>flow-build-tools</artifactId>
       <version>${project.version}</version>
+      <classifier>shaded</classifier>
     </dependency>
     <dependency>
       <groupId>com.vaadin</groupId>
diff --git a/vaadin-spring/src/main/java/com/vaadin/flow/spring/io/FilterableResourceResolver.java b/vaadin-spring/src/main/java/com/vaadin/flow/spring/io/FilterableResourceResolver.java
@@ -21,7 +21,6 @@
 import java.net.URI;
 import java.net.URL;
 import java.net.URLConnection;
-import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Enumeration;
@@ -36,7 +35,6 @@
 import java.util.stream.Stream;
 import java.util.zip.ZipException;
 
-import org.apache.commons.io.IOUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.core.io.Resource;
@@ -46,6 +44,8 @@
 import org.springframework.core.io.support.PropertiesLoaderUtils;
 import org.springframework.util.ResourceUtils;
 
+import com.vaadin.flow.internal.FileIOUtils;
+
 /**
  * A {@link PathMatchingResourcePatternResolver} that allows filtering resources
  * by package properties. The resolver reads META-INF/VAADIN/package.properties
@@ -542,7 +542,7 @@ private void initBlockedJars() {
             return;
         }
         try {
-            String content = IOUtils.toString(url, StandardCharsets.UTF_8);
+            String content = FileIOUtils.urlToString(url);
             if (content != null) {
                 if (content.isBlank()) {
                     blockedJarsList = Collections.emptyList();

Original file line number	Diff line number	Diff line change
`@@ -149,7 +149,9 @@ && isBadSubType(clazz)) {`
`149`	`149`
`150`	`150`	`private Stream<String> getExcludedPatterns() {`
`151`	`151`	`return Stream.of("com\\.vaadin\\.flow\\..osgi\\..",`
`152`		`- "com\\.vaadin\\.flow\\.server\\.startup\\.LookupInitializer\\$OsgiLookupImpl");`
	`152`	`+ "com\\.vaadin\\.flow\\.server\\.startup\\.LookupInitializer\\$OsgiLookupImpl",`
	`153`	`+ // Shaded third-party libraries`
	`154`	`+ "com\\.vaadin\\.frontendtools\\.internal\\..*");`
`153`	`155`	`}`
`154`	`156`
`155`	`157`	`private boolean isBadSubType(Class<?> clazz) {`