Skip to content

Commit 47ceb0f

Browse files
ctawiahcursoragent
andcommitted
chore: remove external Mustache dependency, defer interpolation to AIC-2695 (AIC-2662)
Per the SDK team's supply-chain guidance we will not link the external com.samskivert:jmustache artifact. Drop the dependency and the Interpolator (plus its tests) from this PR; the Mustache engine will be vendored (source copied into an internal, relocated package) together with the Interpolator in AIC-2695, which gates the v1.0 release. This PR now ships only the data model and the defensive LDValue parsing layer, neither of which depends on a templating engine. Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent 11043ab commit 47ceb0f

3 files changed

Lines changed: 6 additions & 207 deletions

File tree

lib/sdk/server-ai/build.gradle

Lines changed: 6 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -44,16 +44,12 @@ ext {
4444
ext.versions = [
4545
// The *lowest* version of the base SDK we are compatible with. LDClientInterface
4646
// appears in this library's public signature, so it is exposed as an `api` dependency.
47-
"sdk": "7.14.0",
48-
// jmustache: Mustache engine for AI Config message/instruction interpolation.
49-
// Audit (AIC-2662): com.samskivert:jmustache is BSD 2-Clause licensed and ships as a single
50-
// self-contained jar with no transitive runtime dependencies (verified via the published POM).
51-
// Chosen over mustache.java / Handlebars.java for its zero-dependency footprint; HTML escaping
52-
// is disabled to match the JS/Python SDKs.
53-
// Pinned to 1.15 (NOT 1.16): 1.16 is compiled for Java 9 (class file 53.0) and throws
54-
// UnsupportedClassVersionError on the Java 8 runtimes this SDK supports. 1.15 is the last
55-
// release compiled for Java 8 and exposes the same compiler API we use.
56-
"jmustache": "1.15"
47+
"sdk": "7.14.0"
48+
// NOTE: the Mustache templating engine (for AI Config message/instruction interpolation) is
49+
// intentionally not declared here. Per the SDK team's supply-chain guidance we will not link the
50+
// external com.samskivert:jmustache artifact; the library will be vendored (source copied into an
51+
// internal, relocated package) along with the Interpolator in AIC-2695, which must land before the
52+
// v1.0 release (AIC-2666).
5753
]
5854

5955
ext.libraries = [:]
@@ -62,9 +58,6 @@ dependencies {
6258
// Exposed on the public API surface (LDClientInterface), therefore `api` not `implementation`.
6359
api "com.launchdarkly:launchdarkly-java-server-sdk:${versions.sdk}"
6460

65-
// Mustache templating, kept as `implementation` so it is not leaked onto consumers' classpath.
66-
implementation "com.samskivert:jmustache:${versions.jmustache}"
67-
6861
testImplementation "org.hamcrest:hamcrest-all:1.3"
6962
testImplementation "junit:junit:4.13.2"
7063
testImplementation "org.mockito:mockito-core:3.12.4"

lib/sdk/server-ai/src/main/java/com/launchdarkly/sdk/server/ai/internal/Interpolator.java

Lines changed: 0 additions & 97 deletions
This file was deleted.

lib/sdk/server-ai/src/test/java/com/launchdarkly/sdk/server/ai/internal/InterpolatorTest.java

Lines changed: 0 additions & 97 deletions
This file was deleted.

0 commit comments

Comments
 (0)