Revert "Bump the gradle-dependencies group across 1 directory with 7 updates"

[curquiza]

Reverts #892

Summary by CodeRabbit

• Chores
  • Adjusted application dependencies and build tooling to earlier versions to maintain consistency across environments. No user-facing changes expected.
• Tests
  • Aligned test frameworks and supporting libraries to earlier versions for consistency.

[coderabbitai]

Walkthrough

The build.gradle file updates multiple dependency versions by downgrading libraries across runtime, testing, and tooling scopes, including Gson, OkHttp/Okio, Jackson, JUnit BOM/Jupiter, and Lombok.

Changes

Cohort / File(s)	Summary of Changes
Runtime dependencies build.gradle	Downgraded: gson 2.13.2 → 2.13.1; okhttp 5.1.0 → 4.12.0; jackson-databind (compileOnly) 2.20.0 → 2.19.0
Test dependencies build.gradle	Downgraded: junit-bom 5.13.4 → 5.13.0; junit-jupiter 5.13.4 → 5.13.0; okio 3.16.0 → 3.12.0; okhttp (test) 5.1.0 → 4.12.0; jackson-databind (test) 2.20.0 → 2.19.0
Tooling (Lombok) build.gradle	Downgraded Lombok: compileOnly/annotationProcessor/testCompileOnly/testAnnotationProcessor 1.18.42 → 1.18.38

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I nudge the knobs, click-click, not bold—
Versions hop back, tidy and controlled.
OkHttp slows, JUnit strolls;
Gson yawns, Jackson rolls.
With whiskered wisdom, I prune the vine—
Smaller carrots, clean build time. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Revert "Bump the gradle-dependencies group across 1 directory with 7 updates"" clearly states the PR's primary action—reverting a previous dependency bump—and directly corresponds to the changeset that downgrades several dependencies (gson, okhttp, junit, jackson, lombok). It is concise, specific, and informative for a reviewer scanning the repository history.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch revert-892-dependabot/gradle/gradle-dependencies-6131b219f8

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[brunoocasali]

LGTM!

[curquiza]

bors merge

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

build.gradle (3)

57-58: Rely on the JUnit BOM; drop the explicit version on junit-jupiter.

Keeps versions in one place and reduces drift. 5.13.0 is available for both the BOM and artifacts. (repo1.maven.org)

- testImplementation(platform('org.junit:junit-bom:5.13.0'))
- testImplementation('org.junit.jupiter:junit-jupiter:5.13.0')
+ testImplementation(platform('org.junit:junit-bom:5.13.0'))
+ testImplementation('org.junit.jupiter:junit-jupiter')

---

64-64: Downgrading jackson-databind: re-check security posture.

2.19.0 is on Central, but stepping back from 2.20.0 may skip fixes. Jackson has a long CVE history around polymorphic deserialization; ensure we don’t enable Default Typing or deserialize untrusted input, or prefer staying on 2.20.0. (mvnrepository.com)

• Consider keeping 2.20.0 if no concrete incompatibility drove the revert.
• If 2.19.0 is required, add tests/guards for safe deserialization and document the decision.

Optional centralize version to avoid drift:

- testImplementation 'com.fasterxml.jackson.core:jackson-databind:2.19.0'
+ testImplementation "com.fasterxml.jackson.core:jackson-databind:${jacksonVersion}"

---

67-67: Align compileOnly Jackson with the test one and consider a single version definition.

To prevent accidental skew, prefer a shared version property or Version Catalog for jackson-databind across scopes. (mvnrepository.com)

- compileOnly group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.19.0'
+ compileOnly "com.fasterxml.jackson.core:jackson-databind:${jacksonVersion}"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4557bac and 2aae7cd.

📒 Files selected for processing (1)

• build.gradle (1 hunks)

🔇 Additional comments (4)

build.gradle (4)

51-51: Gson 2.13.1 exists on Central; revert looks safe.

Version 2.13.1 is published on Maven Central, so this downgrade won’t break resolution. (repo1.maven.org)

---

62-63: Test deps downgrade looks fine.

Okio 3.12.0 and OkHttp 4.12.0 are published and compatible for typical test usage. (mvnrepository.com)

---

70-73: Lombok 1.18.38 is published; annotation processor wiring looks correct.

No issues spotted; confirm builds run with -parameters/annotation processing enabled in CI. (repo1.maven.org)

---

54-54: Don't switch to implementation — OkHttp types are part of the public API.

The class exposes okhttp3 types (public constructor CustomOkHttpClient(Config, OkHttpClient)), so changing api → implementation would hide OkHttp from consumers and break them; either keep api or first remove/abstract OkHttp types from public signatures.

Location: src/main/java/com/meilisearch/sdk/http/CustomOkHttpClient.java (lines 20–27, public constructor at line 24).

Likely an incorrect or invalid review comment.

[meili-bors]

Build succeeded:

• integration-and-unit-tests
• linter