You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Marc Carter (Jira)" <ji...@apache.org> on 2021/02/02 10:06:01 UTC

[jira] [Commented] (MNG-5761) Dependency management is not transitive.

    [ https://issues.apache.org/jira/browse/MNG-5761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17277004#comment-17277004 ] 

Marc Carter commented on MNG-5761:
----------------------------------

Finally realised why I see so many poms with more {{<exclusions>}} than {{<dependencies>}}. This is counter-intuitive and breaks basic encapsulation principles. 

To be clear, just in case it's lost in the above noise, my understanding here is not that _all_ of {{project_A}}'s managed-dependencies should appear in {{project_C}} (BOM-style). Only {{project_A}}'s _effective_ managed-dependencies should appear transitively - those that changed A's _effective pom_. 

I do see that this might be difficult to capture without publishing a generated pom where those are instantiated as actual <dependencies> (sort of how non-Maven tools publish into Maven repos by building a minimal "runtime pom").

> Dependency management is not transitive.
> ----------------------------------------
>
>                 Key: MNG-5761
>                 URL: https://issues.apache.org/jira/browse/MNG-5761
>             Project: Maven
>          Issue Type: Bug
>          Components: Dependencies
>    Affects Versions: 3.2.5
>            Reporter: Jeff Schnitzer
>            Priority: Critical
>             Fix For: 4.0.x-candidate
>
>         Attachments: MNG-5761.zip
>
>
> A detailed description of the issue is here:
> http://stackoverflow.com/questions/28312975/maven-dependencymanagement-version-ignored-in-transitive-dependencies
> The short of it is that maven appears to be using the wrong <dependencyManagement> version in a transitive dependency.  There are two relevant <dependencyManagement> sections in the build, one pulled in by guice and one pulled in by gwizard-parent. These are the dependency paths from the top:
> gwizard-example -> gwizard-config -> gwizard-parent
> gwizard-example -> gwizard-config -> guice -> guice-parent
> gwizard-parent's dependencyManagement specifies guava 18
> guice-parent's dependencyManagement specifies guava 16
> Guava 16 is winning. This seems highly undesirable, and in fact it breaks our build. I would expect that in a version # fight, "closest to the top" should win.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)