Skip to content

Strip META-INF/maven/** from uber and thin JARs#1408

Open
sreekanth-db wants to merge 3 commits intodatabricks:mainfrom
sreekanth-db:fix/strip-meta-inf-maven-from-uber-jar
Open

Strip META-INF/maven/** from uber and thin JARs#1408
sreekanth-db wants to merge 3 commits intodatabricks:mainfrom
sreekanth-db:fix/strip-meta-inf-maven-from-uber-jar

Conversation

@sreekanth-db
Copy link
Copy Markdown
Collaborator

@sreekanth-db sreekanth-db commented Apr 14, 2026
edited
Loading

Summary

  • Strip META-INF/maven/** (pom.properties, pom.xml) from the shade plugin filter in both assembly-uber and assembly-thin.
  • Dependency information remains available in the published POM on Maven Central.

Test plan

  • Built uber JAR and verified META-INF/maven/ has 0 entries
  • Verified all other META-INF files intact (MANIFEST.MF, services/, io.netty.versions.properties)
  • TestUberPackaging shaded dependency tests pass
  • CI checks

This pull request was AI-assisted by Isaac.

@sreekanth-db
Strip META-INF/maven/** from uber JAR
ffc2a30 
Signed-off-by: Sreekanth Vadigi <[email protected]>

Co-authored-by: Isaac
Signed-off-by: Sreekanth Vadigi <[email protected]>
@sreekanth-db
Strip META-INF/maven/** from thin JAR as well
a550873 
Same exclusion as the uber JAR. Arrow is the only shaded
dependency in the thin JAR, but its Maven metadata is equally
redundant — dependency info is in the published POM on Maven Central.

Signed-off-by: Sreekanth Vadigi <[email protected]>

Co-authored-by: Isaac
Signed-off-by: Sreekanth Vadigi <[email protected]>
@sreekanth-db sreekanth-db changed the title Strip META-INF/maven/** from uber JAR Strip META-INF/maven/** from uber and thin JARs Apr 15, 2026
vikrantpuppala
vikrantpuppala reviewed Apr 17, 2026
View reviewed changes
Comment thread assembly-thin/pom.xml
<exclude>META-INF/LICENSE.txt</exclude>
<exclude>META-INF/versions/**</exclude>
<exclude>META-INF/maven/**</exclude>
</excludes>
Copy link
Copy Markdown
Collaborator

@vikrantpuppala vikrantpuppala Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[F1] Thin JAR: useDependencyReducedPomInJar interaction with new exclude (Severity: Medium)

The thin JAR sets useDependencyReducedPomInJar=true at assembly-thin/pom.xml:116-118, which embeds a reduced POM inside the JAR at META-INF/maven/<groupId>/<artifactId>/pom.xml. The new META-INF/maven/** exclude will strip that embedded reduced POM as well.

If any consumer of the thin JAR reads the embedded reduced POM at runtime (rather than fetching the sibling .pom from Maven Central), this silently removes it.

Suggested fix: Either

  1. Confirm the embedded reduced POM is intentionally stripped (likely fine — most consumers use the Maven Central POM), and call this out in the PR description / changelog, or
  2. Narrow the exclude to META-INF/maven/**/pom.properties so the reduced pom.xml remains embedded.

Posted by Code Review Squad.

Copy link
Copy Markdown
Collaborator Author

@sreekanth-db sreekanth-db Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this change is intentional and mentioned in the change log

@sreekanth-db
Update changelog to mention both uber and thin JARs
54f8784 
Signed-off-by: Sreekanth Vadigi <[email protected]>

Co-authored-by: Isaac
Signed-off-by: Sreekanth Vadigi <[email protected]>
tejassp-db
tejassp-db reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@tejassp-db tejassp-db left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there any uses cases for incuding the pom.xml in the JAR? If not then this looks good. Have we validated the final JAR that is produced does not contain these artifacts anymore?

@sreekanth-db
Copy link
Copy Markdown
Collaborator Author

sreekanth-db commented Apr 21, 2026

No use cases — these files are Maven build metadata that no code reads at runtime. Dependency info is available in the published POM on Maven Central.

Validated locally — uber JAR has 0 META-INF/maven entries, thin JAR has 0 dependency metadata entries (only its own reduced POM remains, which the shade plugin injects post-filter via useDependencyReducedPomInJar).

@sreekanth-db
Copy link
Copy Markdown
Collaborator Author

sreekanth-db commented Apr 21, 2026

Re: [F1] - The reduced POM is not affected — the shade plugin injects it post-filter, so the META-INF/maven/** exclude can't strip it. Verified locally that it remains in the thin JAR.

@tejassp-dbuseDependencyReducedPomInJar=true was added in #1243 (line 122 in assembly-thin/pom.xml). Are there any consumers that read this embedded reduced POM from inside the JAR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vikrantpuppala vikrantpuppala vikrantpuppala left review comments

@tejassp-db tejassp-db tejassp-db left review comments

@shivam2680 shivam2680 Awaiting requested review from shivam2680 shivam2680 was automatically assigned from databricks/eng-oss-sql-driver

@deeksha-db deeksha-db Awaiting requested review from deeksha-db deeksha-db was automatically assigned from databricks/eng-oss-sql-driver

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sreekanth-db @vikrantpuppala @tejassp-db