Skip to content

[java] Use byte-buddy 1.18.8 instead of 1.18.8-jdk5#17382

Open
pierluigilenoci wants to merge 4 commits intoSeleniumHQ:trunkfrom
pierluigilenoci:fix/byte-buddy-version
Open

[java] Use byte-buddy 1.18.8 instead of 1.18.8-jdk5#17382
pierluigilenoci wants to merge 4 commits intoSeleniumHQ:trunkfrom
pierluigilenoci:fix/byte-buddy-version

Conversation

@pierluigilenoci
Copy link
Copy Markdown

@pierluigilenoci pierluigilenoci commented Apr 24, 2026

🔗 Related Issues

Fixes #17355

💥 What does this PR do?

Changes the net.bytebuddy:byte-buddy dependency from 1.18.8-jdk5 to 1.18.8 in MODULE.bazel.

The -jdk5 flavor of byte-buddy is intended for Java versions lower than 8, which Selenium does not target. Using the -jdk5 variant causes Maven enforcer plugin failures in downstream projects because Maven considers 1.18.8-jdk5 as a higher version than the managed dependency 1.18.8, triggering convergence errors.

Note: The java/maven_install.json lock file will need to be regenerated after this change. A maintainer with Bazel set up can run:

REPIN=1 bazel run @unpinned_maven//:pin

🤖 AI assistance

  • AI assisted (complete below)
    • Tool(s): Claude Code (Anthropic)
    • What was generated: The commit and PR were created with AI assistance. The fix itself is a single-line version change in MODULE.bazel.
    • I reviewed all AI output and can explain the change

🔄 Types of changes

  • Bug fix

@pierluigilenoci
fix(java): use byte-buddy 1.18.8 instead of 1.18.8-jdk5
a7b0dd9 
The -jdk5 flavor of byte-buddy targets Java versions lower than 8,
which is not required by Selenium. Using the -jdk5 variant causes
Maven enforcer plugin failures because Maven considers 1.18.8-jdk5
as greater than the managed dependency 1.18.8.

Fixes SeleniumHQ#17355

Signed-off-by: Pierluigi Lenoci <pierluigilenoci@gmail.com>
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 24, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@selenium-ci selenium-ci added the B-build Includes scripting, bazel and CI integrations label Apr 24, 2026
@qodo-code-review
Copy link
Copy Markdown
Contributor

qodo-code-review Bot commented Apr 24, 2026

Review Summary by Qodo

Update byte-buddy dependency to remove unnecessary JDK5 variant

🐞 Bug fix

Grey Divider

Walkthroughs

Description 
• Update byte-buddy dependency from 1.18.8-jdk5 to 1.18.8
• Resolves Maven enforcer convergence errors in downstream projects
• Removes unnecessary Java 5 compatibility variant

Grey Divider

File Changes

1. MODULE.bazel Dependencies +1/-1

Update byte-buddy version to standard release

• Changed byte-buddy version from 1.18.8-jdk5 to 1.18.8
• Removes JDK5-specific variant that causes Maven convergence issues
• Aligns with Selenium's Java 8+ target requirement

MODULE.bazel

Grey Divider

Qodo Logo

@qodo-code-review
Copy link
Copy Markdown
Contributor

qodo-code-review Bot commented Apr 24, 2026
edited
Loading

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (1) 📎 Requirement gaps (0)

Context used

Grey Divider


Action required

1. Outdated Bazel lockfile ✓ Resolved 🐞 Bug ≡ Correctness
Description 
MODULE.bazel now requests net.bytebuddy:byte-buddy:1.18.8, but //java:maven_install.json still
pins net.bytebuddy:byte-buddy to 1.18.8-jdk5, which makes the lock file inconsistent with the
requested artifacts. With fail_if_repin_required = True and `lock_file =
"//java:maven_install.json"`, Bazel dependency resolution is expected to fail until the lock file is
repinned.
Code

MODULE.bazel[222]

+        "net.bytebuddy:byte-buddy:1.18.8",
Evidence 
The PR changes the requested Byte Buddy artifact version in MODULE.bazel, while the configured
lock file still pins the old -jdk5 variant; maven.install is configured to fail if a repin is
required, so this mismatch should be build-breaking.

MODULE.bazel[219-223]
MODULE.bazel[257-267]
java/maven_install.json[1236-1242]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`MODULE.bazel` now requests `net.bytebuddy:byte-buddy:1.18.8` but the pinned lock file still records `1.18.8-jdk5`, which makes the Bazel maven lock inconsistent and is expected to fail because repinning is enforced.

## Issue Context
`maven.install(...)` is configured with `lock_file = "//java:maven_install.json"` and `fail_if_repin_required = True`, so any artifact/version change must be reflected in the lock file.

## Fix Focus Areas
- MODULE.bazel[257-267]
- java/maven_install.json[1236-1242]

## What to do
1. Regenerate the lock file (repin) so `net.bytebuddy:byte-buddy` is pinned to `1.18.8` and shasums match.
2. Commit the updated `java/maven_install.json` produced by the repin step.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Remediation recommended

2. Unrelated lockfile hashes changed 📘 Rule violation ⚙ Maintainability ⭐ New
Description 
java/maven_install.json updates multiple non-Byte Buddy artifact hash entries, expanding the diff
beyond the stated dependency fix and increasing review/regression risk. If these changes aren’t
required for the Byte Buddy artifact switch, the lockfile should be regenerated in a way that
minimizes unrelated churn (or explicitly documented).
Code

java/maven_install.json[136]

+    "com.google.closure-stylesheets:closure-stylesheets": 813279907,
Evidence 
PR Compliance ID 3 requires narrowly-scoped diffs. The updated lockfile includes changed hash
entries for multiple artifacts other than net.bytebuddy:byte-buddy, indicating broader churn in
the generated pin data than the intended single-dependency adjustment.

AGENTS.md
java/maven_install.json[136-136]
java/maven_install.json[348-348]
java/maven_install.json[396-396]
java/maven_install.json[416-416]
java/maven_install.json[430-432]
java/maven_install.json[453-455]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`java/maven_install.json` contains updates to multiple artifacts beyond the intended Byte Buddy artifact change, creating a broader diff than necessary.

## Issue Context
This PR’s stated goal is switching `net.bytebuddy:byte-buddy` from the `-jdk5` flavor to the non-`-jdk5` artifact. If the lockfile is regenerated with a different toolchain or non-deterministic inputs, it can introduce unrelated pin/hash changes.

## Fix Focus Areas
- java/maven_install.json[136-136]
- java/maven_install.json[348-348]
- java/maven_install.json[396-396]
- java/maven_install.json[416-416]
- java/maven_install.json[430-432]
- java/maven_install.json[453-455]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

Previous review results

Review updated until commit b687ac3

Results up to commit a7b0dd9


🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)


Action required
1. Outdated Bazel lockfile ✓ Resolved 🐞 Bug ≡ Correctness
Description 
MODULE.bazel now requests net.bytebuddy:byte-buddy:1.18.8, but //java:maven_install.json still
pins net.bytebuddy:byte-buddy to 1.18.8-jdk5, which makes the lock file inconsistent with the
requested artifacts. With fail_if_repin_required = True and `lock_file =
"//java:maven_install.json"`, Bazel dependency resolution is expected to fail until the lock file is
repinned.
Code

MODULE.bazel[222]

+        "net.bytebuddy:byte-buddy:1.18.8",
Evidence 
The PR changes the requested Byte Buddy artifact version in MODULE.bazel, while the configured
lock file still pins the old -jdk5 variant; maven.install is configured to fail if a repin is
required, so this mismatch should be build-breaking.

MODULE.bazel[219-223]
MODULE.bazel[257-267]
java/maven_install.json[1236-1242]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`MODULE.bazel` now requests `net.bytebuddy:byte-buddy:1.18.8` but the pinned lock file still records `1.18.8-jdk5`, which makes the Bazel maven lock inconsistent and is expected to fail because repinning is enforced.

## Issue Context
`maven.install(...)` is configured with `lock_file = "//java:maven_install.json"` and `fail_if_repin_required = True`, so any artifact/version change must be reflected in the lock file.

## Fix Focus Areas
- MODULE.bazel[257-267]
- java/maven_install.json[1236-1242]

## What to do
1. Regenerate the lock file (repin) so `net.bytebuddy:byte-buddy` is pinned to `1.18.8` and shasums match.
2. Commit the updated `java/maven_install.json` produced by the repin step.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Qodo Logo

qodo-code-review[bot]
qodo-code-review Bot reviewed Apr 24, 2026
View reviewed changes
Comment thread MODULE.bazel
pierluigilenoci and others added 2 commits April 24, 2026 21:04
@pierluigilenoci
Merge branch 'trunk' into fix/byte-buddy-version
25d629d
@pierluigilenoci
fix(java): regenerate maven_install.json for byte-buddy 1.18.8
723cca6 
Update the Bazel Maven lockfile after changing byte-buddy from
1.18.8-jdk5 to 1.18.8. Recomputed input and resolved artifact
hashes and updated SHA256 checksums from Maven Central.

Signed-off-by: Pierluigi Lenoci <pierluigilenoci@gmail.com>
@pierluigilenoci
Copy link
Copy Markdown
Author

pierluigilenoci commented Apr 27, 2026

Regenerated java/maven_install.json to fix the lockfile signature mismatch after the byte-buddy version change.

Changes in java/maven_install.json:

  • Updated __INPUT_ARTIFACTS_HASH for net.bytebuddy:byte-buddy to match version 1.18.8
  • Updated artifact SHA256 checksums (jar + sources) from Maven Central
  • Updated version from 1.18.8-jdk5 to 1.18.8
  • Recomputed __RESOLVED_ARTIFACTS_HASH for 10 affected transitive dependents (mockito-core, assertj-core, selenium-remote-driver, selenium-support, etc.)

This is equivalent to running REPIN=1 bazel run @maven//:pin — the hash computation was done programmatically using the same algorithm as rules_jvm_external v3 lockfile format.

@qodo-code-review
Copy link
Copy Markdown
Contributor

qodo-code-review Bot commented May 10, 2026
edited
Loading

Persistent review updated to latest commit b687ac3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qodo-code-review qodo-code-review[bot] qodo-code-review[bot] left review comments

Assignees

No one assigned

Labels

B-build Includes scripting, bazel and CI integrations

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[🐛 Bug]: Selenium should depend on net.bytebuddy:byte-buddy 1.18.8 instead of 1.18.8-jdk5

4 participants

@pierluigilenoci @CLAassistant @selenium-ci @diemol