yuicompressor depends on a modified version of Rhino, which causes dependency confusion

[timothykim]

Steps to produce:

1. Create a java project that depends on yuicompressor AND Rhino
2. Write any code that depends on any of the modified classes in this package: https://github.com/yui/yuicompressor/tree/master/src/org/mozilla/javascript
3. You'll either get a java.lang.StringIndexOutOfBoundsException or MethodNothFoundException or something simliar.

Core of the problem is that yuicompressor leverages on a modified version of Rhino but keeps the namespace the same. So if you have a project that depends on yuicompressor AND Rhino, you are going to have namespace collision.

A crude fix would be to embed the entire Rhino library into the project and change the namespace so that it no longer conflicts with any other packages that depend on Rhino.

Here's a fork of yuicompressor that has the crude fix: https://github.com/timothy-kim/yuicompressor

However, more elegant solution would be desirable.

[apatrida]

Really, the inclusion of rhino without a relocation of the JAR names is dangerous and just cost hours of trying to figure out why Rhino was broken. use shade or jar jar plugins with relocations!

[apatrida]

Another problem, they include in the pom.xml a dependency on Rhino 1.7R2 but also include Rhino in the main JAR. this needs cleaned up

[mcucchiara]

@jaysonminard I've already submitted a PR #179 to use jarjar (not yet merged though)

[ajkerr]

Would love to see this fixed, this has caused us no end of issues with dependencies.

[tml]

My plan is to merge @mcucchiara's fix in once the SAC-based CSS compressor is complete, and release them together as 3.0.0. In the meantime, you can use (and provide feedback) on his PR in #179. Thanks for your input!

[apatrida]

Why not merge it now to save the suffering of many people trying to diagnose a mystery problem. It was really sloppy before to do this to begin with, pelase fix it sooner rather than waiting. It is an easy change.

[santhakr]

I was hit by the very same issue today. I am not sure if the changes were merged. Any blocker?

[zhuravskiy]

I use birt runtime in my project, and birt depends from rhino 1.7.5, but this problem broken my reports, how long this issue will be open? Please fix it ASAP

[WebArtsAG]

Have the same issues, we need Rhino to analyise und modify JavaScript, but we also have YUICompressor in the project, so currently we cannot deploy.

[fxthomas]

I finally understood that the current version of yuicompressor (2.4.8) still gets Rhino as both a pom dependency and bundled, modified classes. My current workaround is this:

<dependency>
  <groupId>com.yahoo.platform.yui</groupId>
  <artifactId>yuicompressor</artifactId>
  <version>2.4.8</version>
  <scope>runtime</scope>
  <exclusions>
    <exclusion>
      <artifactId>js</artifactId>
      <groupId>rhino</groupId>
    </exclusion>
  </exclusions>
</dependency>