aws-auth-cognito unusable - is pulling in an old alpha version of okhttp

[kroegerama]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.

Language and Async Model

Kotlin - Coroutines

Amplify Categories

Authentication

Gradle script dependencies

implementation("com.amplifyframework:core-kotlin:2.16.1")
implementation("com.amplifyframework:aws-auth-cognito:2.16.1")

Describe the bug

All recent versions of com.amplifyframework:aws-auth-cognito pull in an alpha version of okhttp: com.squareup.okhttp3:okhttp:5.0.0-alpha.11 via transitive dependencies.

This is conflicting with our existing dependencies of okhttp 4.12.0, which is the latest stable release of okhttp.

I don't really get, why anyone considered it a good idea to use an alpha version as a dependency. There are even companies that forbid using alpha dependencies in production.

Seems, like the culprit is the aws dependency aws.smithy.kotlin:http-client-engine-okhttp-jvm:1.0.11, which had this bad dependency literally forever. I went to mvnrepository and even version 0.11.0 of this smithy client uses an alpha version. Going forward, the most recent version 1.2.2 also has an alpha dependency.

There was a ticket regarding this, but it was abandoned and closed without a fix. #2632

Is there a plan, when this will be fixed? I have no idea how to integrate cognito without messing up our production releases.

[yuhengshs]

Hi @kroegerama ,

Thanks for reporting the issue, our team will take a look and post updates here.

[yuhengshs]

Hi @kroegerama ,

Unfortunately, Amplify Android has dependency with aws-kotlin and aws-smithy. We will try to make another request internally and see if any modifications can be done.

[kroegerama]

Thanks a lot for your follow-up @yuhengshs. I look forward to hearing if your colleagues decide to fix this.

[mehulrewardle]

@yuhengshs Any update for this issue. I am also facing the conflict issue with stripe , You should use okhttp3 stable latest version

[tylerjroach]

@mehulrewardle Unfortunately, we have a hard dependency on the AWS Kotlin SDK, which is using the v5-alpha. We cannot change the OkHttp version on our end unless the AWS Kotlin SDK makes changes first.

For our knowledge, does the Stripe SDK crash if OkHttp is allowed to resolve to the v5-alpha version?

[JGerdes]

Hi @yuhengshs and @tylerjroach, is there any update on this?
As AWS Amplify v1 is officially deprecated, we need to update to v2, but can't due to the compatibility issues with OkHttp3.
Updating from v1 to v2 basically forces us to use an unstable alpha release in our network layer and risking crashes or unwanted behaviour with other libraries that transitively depend on OkHttp.

Could you try to find a solution for this issue?