What's new in Leiningen 2.8.0 and 2.8.1?

Apr 27, 2018 by Daniel Compton

Leiningen 2.8.0 and 2.8.1 came out in October of 2017. The previous release was in September 2016 so 2.8.0 and 2.8.1 contain a lot of new features and bugfixes. 2.8.1 is a bugfix release for 2.8.0, so you should update to 2.8.1 over 2.8.0. This post will outline the major new features of these releases.

Java 9 support

The biggest reason for upgrading Leiningen is Java 9 support. Leiningen 2.8.0 removes its use of the BootClassPath, as this caused problems in Java 9 with Clojure 1.8.0. There are also various other fixes for smaller Java 9 issues.

HTTPS only repositories

In this release, Leiningen removed default support for HTTP Maven repositories. This is a good move to ensure that your artifact downloads are secure, and not subject to a MITM attack. If you try and download artifacts from an HTTP repository with Leiningen 2.8.0, you will get the error:

java.lang.Exception: Tried to use insecure HTTP repository

If you run an internal Maven repository which is only available over HTTP, and you don’t want to update it to use HTTPS, you can add back in support for HTTP repositories. To do so, add this code to your project.clj:

;; re-add support for HTTP. Upgrading the Maven repository to use HTTPS is a better option
(require 'cemerick.pomegranate.aether)
(cemerick.pomegranate.aether/register-wagon-factory!
 "http" #(org.apache.maven.wagon.providers.http.HttpWagon.))

Another option is to look at switching to Deps 😀. Deps provides HTTPS as default and standard on all accounts.

This upgrade has shaken out a lot of projects which had dependencies on artifacts in HTTP only repositories. If you get the “Tried to use insecure HTTP repository” error message after updating, and don’t have any HTTP repositories defined yourself, then it may be coming from one of your dependencies specifying an HTTP repository. Take a look if there are newer versions of your dependencies, they have likely been updated to an HTTPS repository to fix this issue.

Clojars CDN

Another new feature is the default usage of the new Clojars CDN (https://repo.clojars.org). This provides a faster, more reliable experience for downloading JARs from Clojars. Fastly has generously sponsored Clojars' bandwidth for running the CDN. The Clojars CDN is decoupled from the Clojars service. Even if Clojars goes down (as it did during a DDoS of Linode during Christmas 2015), you will still be able to download dependencies from the CDN.

If you are using an older version of Java (7 or below) you may get errors like:

Received fatal alert: protocol_version

This is due to the TLS settings that Fastly uses. To work around this, you can either update your Java version to at least Java 8, or set the environment variable LEIN_JVM_OPTS=-Dhttps.protocols=TLSv1.2 to force Java 7 to use TLS 1.2. Alternatively, you can switch back to using the old Clojars repository:

;; Add this to your project.clj
:repositories {"clojars" "https://clojars.org/repo"}

technomancy/leiningen#2364 has more information on this issue and discussions on ways to automatically detect and fix this issue for people.

New lein deps commands

A number of new subtasks were added to the deps command.

:why

The :why subtask can be used as an alternative to the lein deps :tree subtask if you only want to see the path to a particular dependency. You pass it a single dependency coordinate and it will show you where and why a particular version was selected. If the artifact isn’t in your dependencies, you will get no output.

$ lein deps :why io.netty/netty-codec
[com.google.cloud.trace/trace-grpc-api-service 0.5.0]
  [com.google.cloud.trace.v1/sink 0.5.0]
    [com.google.cloud/google-cloud-trace 0.24.0-alpha]
      [io.grpc/grpc-netty 1.6.1]
        [io.netty/netty-codec-http2 4.1.14.Final]
          [io.netty/netty-codec-http 4.1.14.Final]
            [io.netty/netty-codec 4.1.14.Final]

:tree-data

lein deps :tree-data is similar to the well-known lein deps :tree, but returns the dependency data as EDN. Leiningen returns the dependencies to stdout and any warnings to stderr, so you can redirect the output to a file with lein deps :tree-data > lein-deps.edn.

$ lein deps :tree-data # running against Day8/re-frame
{[binaryage/devtools "0.9.4" :scope "test"]
 {[binaryage/env-config "0.2.0" :scope "test"] nil},
 [clj-stacktrace "0.2.8"] nil,
 [clojure-complete "0.2.4" :exclusions [[org.clojure/clojure]]] nil,
 [criterium "0.4.3"] nil,
 [cuid "0.1.1"] nil,
 [karma-reporter "3.0.0-alpha1" :scope "test"]
 {[fipp "0.6.7" :scope "test"]
  {[org.clojure/core.rrb-vector "0.0.11" :scope "test"] nil}},
 ...

:plugin-tree

lein deps :plugin-tree is also similar to lein deps :tree, but instead returns the dependency tree for any loaded plugins. This can be extremely useful for tracking down dependency conflicts between plugins.

Conclusion

Leiningen 2.8.1 includes some important features and fixes, as well as Java 9 support. The steps outlined above should help avoid any errors you may get from older JDKs or HTTP Maven repositories. I recommend updating to use it at your earliest convenience.