chore: bump-okhttp-4.12.0-to-5.0.0

[Munhangyeol]

Closes #13509

Steps to test

Mandatory checks

• I own the copyright of the code submitted and I license it under the MIT license
• Change in CHANGELOG.md described in a way that is understandable for the average user (if change is visible to the user)
• Tests created for changes (if applicable)
• Manually tested changed features in running JabRef (always required)
• Screenshots added in PR description (if change is visible to the user)
• Checked developer's documentation: Is the information available and up to date? If not, I outlined it in this pull request.
• Checked documentation: Is the information available and up to date? If not, I created an issue at https://github.com/JabRef/user-documentation/issues or, even better, I submitted a pull request to the documentation repository.

[koppor]

I think, now two modules have the same name - see line 149.

[Munhangyeol]

I understand your concern. Even though two modules are assigned the same name here, there is no actual conflict because they refer to completely separate artifacts (okhttp vs. okhttp-jvm).

This duplication is currently necessary because some dependencies (such as langchain4j-hugging-face) still require the legacy okhttp artifact, while our project relies on the newer okhttp-jvm from OkHttp 5.x.

Since the Java Module System (JPMS) treats them as distinct jars, and as long as both modules are not loaded into the same named module path, this setup works without any issues.

[Munhangyeol]

If there's anything wrong or anything I should fix in what I said, please feel free to let me know :)

[koppor]

My gut feeling says that overloaded module names will cause issues. Especially when we will switch to use modules as the primary source of dependencies: https://github.com/gradlex-org/java-module-dependencies

[Munhangyeol]

Overloaded module names could definitely cause issues, especially if we move towards using modules as the primary way of managing dependencies in the future.
I’ll try to look into this and hopefully resolve it by tomorrow or the day after. Please feel free to let me know if there’s anything I missed or should improve!

[Munhangyeol]

I checked the dependency tree with the dependencies task, and you're right.
Gradle resolves okhttp to version 5.0.0 automatically because of other dependencies or version conflicts.
However, since langchain4j-hugging-face still relies on the 4.x API, upgrading to 5.0.0 breaks compatibility.

[koppor]

Does a separte module name help to avoid module name overloading?

The modules will be on the same path - as JabRef needs all of them.

[Munhangyeol]

In the current situation, module name conflicts are unavoidable, and using separate module names alone does not fundamentally resolve the issue.

[jjohannes]

com.squareup.okhttp3:okhttp is not really a module anymore. The Jar is more or less empty now. This is Kotlin multi-platform stuff.

I think it does not end up the Module Path, but is needed by the mechanism that looks at the metadata to create the missing module-info files. That the checks are passing on this PR indicates that everything is ok.

I know that it looks like the name is used twice, but in practice only one of the Jars is used. It's confusing but its Kotlin Multi-Platform libraries "clashing" with JPMS. Maybe add a comment about this to the module("com.squareup.okhttp3:okhttp", "okhttp3") line.

We have a similar situation here with kotlinpoet:

https://github.com/hiero-ledger/hiero-gradle-conventions/blob/main/src/main/kotlin/org.hiero.gradle.base.jpms-modules.gradle.kts#L156-L157

[jjohannes]

The name okhttp3 is correct because the MANIFEST of com.squareup.okhttp3:okhttp-jvm contains

Automatic-Module-Name: okhttp3

[trag-bot]

@trag-bot didn't find any issues in the code! ✅✨