[NU-1897] flink-executor and lite-runtime modules: Added compile-time dependency to http-utils

[arkadius]

Describe your changes

Checklist before merge

• Related issue ID is placed at the beginning of PR title in [brackets] (can be GH issue or Nu Jira issue)
• Code is cleaned from temporary changes and commented out lines
• Parts of the code that are not easy to understand are documented in the code
• Changes are covered by automated tests
• Showcase in dev-application.conf added to demonstrate the feature
• Documentation added or updated
• Added entry in Changelog.md describing the change from the perspective of a public distribution user
• Added MigrationGuide.md entry in the appropriate subcategory if introducing a breaking change
• Verify that PR will be squashed during merge

Summary by CodeRabbit

• New Features

  • Updated changelog to highlight enhancements in the components-api module and improvements in Flink Kafka handling.
  • Introduced a new endpoint for scenario testing and renamed the 'test adhoc' button to 'adhoc-testing'.

• Bug Fixes

  • Resolved issues with deployments involving dictionary editors after a model reload.

• Documentation

  • Updated migration guide detailing significant changes and compatibility notes for version 1.19.0.
  • Enhanced changelog with new features, improvements, and dependency updates.

• Chores

  • Cleaned up dependencies for improved management and compatibility across projects.

[coderabbitai]

📝 Walkthrough

📝 Walkthrough

Walkthrough

The pull request introduces significant modifications to the build.sbt file, focusing on dependency management for multiple projects within the Nussknacker application. Key changes include the addition of the httpUtils project, which now incorporates the async-http-client-backend-future dependency from the sttp library. This adjustment aims to resolve potential NoClassDefFoundError issues caused by conflicting versions of Netty. The liteEngineRuntime and flinkExecutor projects have been updated to include httpUtils as a compile-time dependency, ensuring consistent library versions across the project. Additionally, the liteK8sDeploymentManager project has been updated to include the same async-http-client-backend-future dependency. The overall structure of the dependencies has been streamlined to enhance compatibility and reduce the risk of version conflicts. The changelog and migration guide have also been updated to reflect new features, improvements, and breaking changes for version 1.19.0, including updates to the components-api module and various API modifications.

Possibly related PRs

• Fix scenario tests with fragment input validation #7159: This PR modifies the FlinkTestMainSpec.scala file and includes changes related to the ProcessCompilerData class, which is relevant to the dependency management and project configurations discussed in the main PR.
• [Nu-1890] hide categories from a scenarios list and more scenario details when only one category is available #7183: This PR updates the flink-executor and lite-runtime modules to include a compile-time dependency on http-utils, which is directly related to the changes made in the main PR regarding the addition of the httpUtils project and its dependencies.
• [NU-1897] nussknacker-components-api: remove dependency to async-http-client-ba… #7257: This PR focuses on removing the dependency on async-http-client-backend-future, which is directly related to the changes in the main PR that involve adding this dependency in the liteK8sDeploymentManager and updating the componentsApi.

Suggested labels

client, submodules

Suggested reviewers

• JulianWielga
• lukasz-bigorajski

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

docs/MigrationGuide.md (2)

Line range hint 4-4: Add unit tests as mentioned in TODO comment

Tests should be added to verify the behavior of the formula function, especially given the recent parameter addition.

Would you like me to help create unit tests for this function?

---

Security update needed: requests 2.26.0 has known vulnerabilities

The pinned version 2.26.0 of requests is affected by two moderate severity vulnerabilities:

• Unintended leak of Proxy-Authorization header (fixed in 2.31.0)
• Session verification bypass vulnerability (fixed in 2.32.0)

Recommend upgrading to the latest stable version 2.32.3 to address these security issues.

🔗 Analysis chain

Line range hint 6-6: Verify security of fixed requests version

The requests library is pinned to version 2.26.0. Let's verify if this version has any known security vulnerabilities.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check PyPI for latest versions and GitHub for security advisories

# Get latest version from PyPI
echo "Latest version from PyPI:"
curl -s https://pypi.org/pypi/requests/json | jq -r '.info.version'

# Check for security advisories
echo -e "\nSecurity advisories:"
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: PIP, package: "requests") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Length of output: 1716

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 0f94b80 and 91a2707.

📒 Files selected for processing (3)

• build.sbt (5 hunks)
• docs/Changelog.md (1 hunks)
• docs/MigrationGuide.md (1 hunks)

🔇 Additional comments (7)

docs/Changelog.md (1)

17-22: LGTM! Changes are well documented.

The changelog entries accurately reflect the dependency cleanup and API enhancement changes:

1. Component API enhancement for SpEL template access
2. Dependency cleanup:
   • Narrowing of async-http-client dependency
   • Addition of http-utils compile-time dependency

docs/MigrationGuide.md (1)

Line range hint 1-2: LGTM!

The subtraction function is implemented correctly.

build.sbt (5)

814-823: Addition of httpUtils Dependency

Including httpUtils as a compile-time dependency in the flinkExecutor module ensures consistent Netty versions across the dependency stack (sttp → async-http-client → netty). This prevents NoClassDefFoundError exceptions and reduces the model jar size.

---

1367-1375: Adding httpUtils to liteEngineRuntime Dependencies

Adding httpUtils as a compile-time dependency in the liteEngineRuntime module is appropriate to maintain consistent Netty versions. This helps avoid potential runtime conflicts and reduces the model jar size.

---

1562-1575: Updated Dependencies in componentsApi Module

The additions to the dependencies in the componentsApi module enhance functionality and align with project requirements. Ensure that all version variables (e.g., flinkCommonsTextV, catsV, enumeratumV) are correctly defined and up to date.

---

1710-1713: Including sttp Dependencies in httpUtils Module

Adding the sttp dependencies to the httpUtils module helps maintain consistent library versions and prevents potential runtime errors due to mismatched Netty versions in the dependency stack.

---

1523-1528: Verify Netty Version Consistency in Test Dependencies

The inclusion of async-http-client-backend-future in the test scope may introduce Netty version conflicts. Please verify that the Netty versions across all dependencies are consistent to prevent runtime issues.

Run the following script to list Netty dependencies and their versions:

✅ Verification successful

Based on the results, I can now generate the final response:

Netty Version Consistency is Already Managed

The codebase already handles Netty version consistency carefully:

• A single nettyV = "4.1.113.Final" is defined and used across all Netty dependencies
• There are explicit comments acknowledging and addressing the sttp -> async-http-client -> netty dependency chain
• The project has proper exclusion rules for conflicting Netty versions (e.g., azure-core-http-netty exclusions)
• Netty reactive streams version is explicitly managed with nettyReactiveStreamsV = "2.0.12"

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: List Netty dependencies and their versions in the project.

# Search for Netty dependencies in build.sbt.
rg 'netty' build.sbt

Length of output: 1569

---

Script:

#!/bin/bash
# Let's check the version of netty that async-http-client-backend-future brings in
rg -A 1 'sttpV' build.sbt
rg -A 1 'async-http-client' build.sbt

# Also check for any other potential netty dependencies through transitive dependencies
rg 'val.*=.*".*netty.*"' build.sbt

Length of output: 2360

[lukasz-bigorajski]

LGTM

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

docs/MigrationGuide.md (1)

Line range hint 4-4: Add unit tests as indicated by TODO comment

The TODO comment indicates missing tests. Unit tests are important to verify the behavior of this function, especially given it was recently modified to add a new parameter.

Would you like me to help create unit tests for this function?

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 67cbe70 and b2d1c20.

📒 Files selected for processing (3)

• build.sbt (5 hunks)
• docs/Changelog.md (1 hunks)
• docs/MigrationGuide.md (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• docs/Changelog.md

🔇 Additional comments (4)

build.sbt (2)

814-823: LGTM! Well-documented dependency management improvement.

The addition of httpUtils as a compile-time dependency to flinkExecutor is a good solution for:

1. Resolving NoClassDefFoundError issues caused by conflicting netty versions
2. Reducing the size of the model jar bundle
3. Ensuring consistent library versions across the dependency stack (sttp -> async-http-client -> netty)

This change establishes a pattern where common HTTP-related dependencies are managed through a shared module, promoting consistency and reducing the risk of version conflicts.

Let's verify the dependency tree to confirm the resolution of netty version conflicts:

✅ Verification successful

LGTM! The dependency management approach is well-implemented and consistent

The verification confirms that:

1. The project uses a fixed netty version (4.1.113.Final) across all dependencies
2. The httpUtils module is properly configured as a shared dependency to ensure consistent versions in the stack: sttp -> async-http-client -> netty
3. Azure dependencies that could introduce conflicting netty versions are properly excluded
4. The dependency is correctly added as compile-time to both flinkExecutor and liteEngineRuntime

The implementation effectively:

• Prevents NoClassDefFoundError by maintaining consistent netty versions
• Reduces jar bundle size through shared dependencies
• Follows good practices in dependency management with proper exclusions and version control

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for potential netty version conflicts in the dependency tree
# Expected: Only one version of netty should be present

# Check netty versions in the classpath
sbt 'flinkExecutor/dependencyTree' | grep -i netty

# Verify the size reduction in the model jar
ls -lh flinkExecutor/target/scala-*/flinkExecutor.jar

Length of output: 296

---

Script:

#!/bin/bash
# Let's try a different approach to verify the dependency structure
# First, check if there are any direct netty dependencies declared in build.sbt
rg -A 3 -B 3 "netty" build.sbt

# Then check for any other HTTP client related dependencies
rg -A 3 -B 3 "async-http-client|sttp|http" build.sbt

# Also check for any dependency exclusions related to netty
rg "exclude\(" build.sbt

Length of output: 26909

---

1367-1375: LGTM! Consistent dependency management approach.

The addition of httpUtils as a compile-time dependency to liteEngineRuntime follows the same pattern as flinkExecutor, ensuring consistent dependency management across different runtime environments.

Let's verify the dependency resolution is consistent with the Flink executor:

✅ Verification successful

Dependency management approach is consistent across the codebase

Based on the analysis of build.sbt, the review comment is correct. The evidence shows:

• httpUtils is consistently used across multiple components, with some using it as a Provided dependency (e.g., in Flink components) and others as a direct dependency where needed
• The liteEngineRuntime's dependency on httpUtils aligns with the codebase's pattern, particularly considering the comment about managing netty version conflicts
• Both Flink and Lite runtimes show careful management of their HTTP-related dependencies, with Flink using provided scope for potential conflict resolution and Lite runtime explicitly managing its HTTP stack (sttp, akka-http)

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Compare netty versions between Flink and Lite runtimes
# Expected: Both should use the same version of netty

# Check netty versions in both classpaths
echo "=== Flink Runtime ==="
sbt 'flinkExecutor/dependencyTree' | grep -i netty
echo "=== Lite Runtime ==="
sbt 'liteEngineRuntime/dependencyTree' | grep -i netty

# Compare jar sizes to verify optimization
echo "=== Jar sizes ==="
ls -lh */target/scala-*/flinkExecutor.jar */target/scala-*/liteEngineRuntime.jar 2>/dev/null

Length of output: 529

---

Script:

#!/bin/bash
# Let's try a different approach by examining the build.sbt file directly
# to verify the dependency management consistency between Flink and Lite runtimes

# First, let's look at the flinkExecutor dependencies
echo "=== Flink Executor Dependencies ==="
rg "lazy val flinkExecutor" -A 20 build.sbt

# Then, let's look at the liteEngineRuntime dependencies
echo "=== Lite Engine Runtime Dependencies ==="
rg "lazy val liteEngineRuntime" -A 20 build.sbt

# Also check for any other httpUtils dependencies to verify consistency
echo "=== Other httpUtils Dependencies ==="
rg "httpUtils" build.sbt

Length of output: 4931

docs/MigrationGuide.md (2)

Line range hint 1-2: LGTM!

The subtraction function is implemented correctly.

---

Line range hint 6-6: Verify security of pinned requests version

The requests library is pinned to version 2.26.0. Let's verify if this version has any known security vulnerabilities.