You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Marc (Jira)" <ji...@apache.org> on 2021/04/12 21:01:00 UTC

[jira] [Commented] (MNG-5761) Dependency management is not transitive.

    [ https://issues.apache.org/jira/browse/MNG-5761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17319717#comment-17319717 ] 

Marc commented on MNG-5761:
---------------------------

I think I am facing the issue as well through BOMs. I have a project with a parent that <imports> Spring Boot Dependencies, defining latest junit dependency, and then I importedĀ com.github.cloudyrock.mongock, which contains a parent with a <dependencyManagement> version of an older JUnit dependency and according to help:effective-pom -DverboseĀ its resolving the later.

I personally think this is absolutely impacting on current development. As soon as any Spring Boot project declares a dependency which uses dependencyManagement/BOM internally, we are going to loose track of Boot BOMs and cause incompatibilities very easy.

It's very counterintiuitive that any dependency can override the versioning coming from parent projects.

> Dependency management is not transitive.
> ----------------------------------------
>
>                 Key: MNG-5761
>                 URL: https://issues.apache.org/jira/browse/MNG-5761
>             Project: Maven
>          Issue Type: Bug
>          Components: Dependencies
>    Affects Versions: 3.2.5
>            Reporter: Jeff Schnitzer
>            Priority: Critical
>             Fix For: 4.0.x-candidate
>
>         Attachments: MNG-5761.zip
>
>
> A detailed description of the issue is here:
> http://stackoverflow.com/questions/28312975/maven-dependencymanagement-version-ignored-in-transitive-dependencies
> The short of it is that maven appears to be using the wrong <dependencyManagement> version in a transitive dependency.  There are two relevant <dependencyManagement> sections in the build, one pulled in by guice and one pulled in by gwizard-parent. These are the dependency paths from the top:
> gwizard-example -> gwizard-config -> gwizard-parent
> gwizard-example -> gwizard-config -> guice -> guice-parent
> gwizard-parent's dependencyManagement specifies guava 18
> guice-parent's dependencyManagement specifies guava 16
> Guava 16 is winning. This seems highly undesirable, and in fact it breaks our build. I would expect that in a version # fight, "closest to the top" should win.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)