You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@maven.apache.org by Andreas Hubold <an...@coremedia.com> on 2019/05/15 09:17:41 UTC
Merging dependency exclusions from dependencyManagement and
dependencies
Hi all,
I have a question on how effective dependency exclusions are computed.
I'd expect that exclusions are additive when specified for the same
dependency in the dependencyManagement and dependencies sections. This
is also what I read at https://stackoverflow.com/a/10736186
The output of dependency:tree also confirms this for the project that
declares the dependency, however the effects are different for another
project that depends on the former.
I've prepared a simplified example with two projects a and b. You can
find it at https://github.com/ahubold/test-maven-dependency-exclusion
a/pom.xml
- dependencyManagement for httpclient, excluding commons-logging
- dependency on httpclient, excluding commons-codec
b/pom.xml
- dependency on a
The dependency:tree for a/pom.xml shows that exclusions are additive
here and neither commons-logging nor commons-codec show up in the
result. That's fine.
[INFO] a:a:jar:1.0.0-SNAPSHOT
[INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
[INFO] \- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
But the dependency:tree for b/pom.xml has a transitive dependency to
commons-logging, which confuses me:
[INFO] b:b:pom:1.0.0-SNAPSHOT
[INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile
[INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
[INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
[INFO] \- commons-logging:commons-logging:jar:1.2:compile
I would have expected to not see commons-logging here. Its exclusion
really seems to be hidden by the exclusion of commons-codec. If I now
change a/pom.xml and remove the exclusion of commons-codec, then
commons-logging will disappear from the dependencies:
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ b ---
[INFO] b:b:pom:1.0.0-SNAPSHOT
[INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile
[INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
[INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
[INFO] \- commons-codec:commons-codec:jar:1.11:compile
My maven version is 3.6.0.
Any thoughts? Is this a bug or intended behavior?
Kind regards,
Andreas
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: Merging dependency exclusions from dependencyManagement and
dependencies
Posted by Andreas Hubold <an...@coremedia.com>.
Hi,
in my original post I've described that exclusions from the
dependencyManagement are used for downstream projects as long as there
aren't any exclusions specified at the dependency itself. So the
conclusion that dependencyManagement isn't transitive cannot be true, at
least for some cases. The actual behavior seems to be inconsistent and
rather confusing to me.
Can some Maven expert/maintainer please comment on my original question?
How is this supposed to work, is this as intended?
Thank you,
Andreas
Andy Feldman wrote on 15.05.19 18:39:
> I have observed similar behavior with the version number. My conclusion was
> that dependencyManagement is not transitive.
>
> Example of what I observed: I have a project my-library with transitive
> dependencies on 3rd-party-library version 1.1 and 1.2 that would normally
> resolve to 1.1. I use dependencyManagement in my-library to override it to
> 1.2. I use my-library from my-project. my-project gets
> 3rd-party-library 1.1 instead of 1.2.
>
> The docs at
> https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html
> suggest
> that you can manually pull in the dependencyMangement section of another
> pom. Look for "Z imports the managed dependencies from both X and Y." I
> haven't tried this approach.
>
>
> On Wed, May 15, 2019 at 2:17 AM Andreas Hubold <an...@coremedia.com>
> wrote:
>
>> Hi all,
>>
>> I have a question on how effective dependency exclusions are computed.
>> I'd expect that exclusions are additive when specified for the same
>> dependency in the dependencyManagement and dependencies sections. This
>> is also what I read at https://stackoverflow.com/a/10736186
>>
>> The output of dependency:tree also confirms this for the project that
>> declares the dependency, however the effects are different for another
>> project that depends on the former.
>>
>> I've prepared a simplified example with two projects a and b. You can
>> find it at https://github.com/ahubold/test-maven-dependency-exclusion
>>
>> a/pom.xml
>> - dependencyManagement for httpclient, excluding commons-logging
>> - dependency on httpclient, excluding commons-codec
>>
>> b/pom.xml
>> - dependency on a
>>
>> The dependency:tree for a/pom.xml shows that exclusions are additive
>> here and neither commons-logging nor commons-codec show up in the
>> result. That's fine.
>>
>> [INFO] a:a:jar:1.0.0-SNAPSHOT
>> [INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
>> [INFO] \- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
>>
>> But the dependency:tree for b/pom.xml has a transitive dependency to
>> commons-logging, which confuses me:
>>
>> [INFO] b:b:pom:1.0.0-SNAPSHOT
>> [INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile
>> [INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
>> [INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
>> [INFO] \- commons-logging:commons-logging:jar:1.2:compile
>>
>> I would have expected to not see commons-logging here. Its exclusion
>> really seems to be hidden by the exclusion of commons-codec. If I now
>> change a/pom.xml and remove the exclusion of commons-codec, then
>> commons-logging will disappear from the dependencies:
>>
>> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ b ---
>> [INFO] b:b:pom:1.0.0-SNAPSHOT
>> [INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile
>> [INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
>> [INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
>> [INFO] \- commons-codec:commons-codec:jar:1.11:compile
>>
>> My maven version is 3.6.0.
>>
>> Any thoughts? Is this a bug or intended behavior?
>>
>> Kind regards,
>> Andreas
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>> For additional commands, e-mail: users-help@maven.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: Merging dependency exclusions from dependencyManagement and dependencies
Posted by Andy Feldman <an...@wealthfront.com>.
I have observed similar behavior with the version number. My conclusion was
that dependencyManagement is not transitive.
Example of what I observed: I have a project my-library with transitive
dependencies on 3rd-party-library version 1.1 and 1.2 that would normally
resolve to 1.1. I use dependencyManagement in my-library to override it to
1.2. I use my-library from my-project. my-project gets
3rd-party-library 1.1 instead of 1.2.
The docs at
https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html
suggest
that you can manually pull in the dependencyMangement section of another
pom. Look for "Z imports the managed dependencies from both X and Y." I
haven't tried this approach.
On Wed, May 15, 2019 at 2:17 AM Andreas Hubold <an...@coremedia.com>
wrote:
> Hi all,
>
> I have a question on how effective dependency exclusions are computed.
> I'd expect that exclusions are additive when specified for the same
> dependency in the dependencyManagement and dependencies sections. This
> is also what I read at https://stackoverflow.com/a/10736186
>
> The output of dependency:tree also confirms this for the project that
> declares the dependency, however the effects are different for another
> project that depends on the former.
>
> I've prepared a simplified example with two projects a and b. You can
> find it at https://github.com/ahubold/test-maven-dependency-exclusion
>
> a/pom.xml
> - dependencyManagement for httpclient, excluding commons-logging
> - dependency on httpclient, excluding commons-codec
>
> b/pom.xml
> - dependency on a
>
> The dependency:tree for a/pom.xml shows that exclusions are additive
> here and neither commons-logging nor commons-codec show up in the
> result. That's fine.
>
> [INFO] a:a:jar:1.0.0-SNAPSHOT
> [INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
> [INFO] \- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
>
> But the dependency:tree for b/pom.xml has a transitive dependency to
> commons-logging, which confuses me:
>
> [INFO] b:b:pom:1.0.0-SNAPSHOT
> [INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile
> [INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
> [INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
> [INFO] \- commons-logging:commons-logging:jar:1.2:compile
>
> I would have expected to not see commons-logging here. Its exclusion
> really seems to be hidden by the exclusion of commons-codec. If I now
> change a/pom.xml and remove the exclusion of commons-codec, then
> commons-logging will disappear from the dependencies:
>
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ b ---
> [INFO] b:b:pom:1.0.0-SNAPSHOT
> [INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile
> [INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
> [INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
> [INFO] \- commons-codec:commons-codec:jar:1.11:compile
>
> My maven version is 3.6.0.
>
> Any thoughts? Is this a bug or intended behavior?
>
> Kind regards,
> Andreas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>