You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Elliotte Rusty Harold (Jira)" <ji...@apache.org> on 2019/12/23 12:49:00 UTC
[jira] [Updated] (MNG-5622) Provided dependencies updated to
'compile' even when excluded
[ https://issues.apache.org/jira/browse/MNG-5622?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Elliotte Rusty Harold updated MNG-5622:
---------------------------------------
Labels: needs-attention (was: )
> Provided dependencies updated to 'compile' even when excluded
> -------------------------------------------------------------
>
> Key: MNG-5622
> URL: https://issues.apache.org/jira/browse/MNG-5622
> Project: Maven
> Issue Type: Bug
> Components: Dependencies
> Affects Versions: 3.0.5, 3.2.1
> Reporter: Cintia DR
> Assignee: Jason van Zyl
> Priority: Minor
> Labels: needs-attention
> Attachments: dependencies-maven.tar.gz
>
>
> I have a project A with the following dependency:
> {code}
> <dependency>
> <groupId>dom4j</groupId>
> <artifactId>dom4j</artifactId>
> <version>1.6.1</version>
> </dependency>
> {code}
> _dom4j_ has a compile dependency _xml-api_.
> In the project B, I use project A as a provided dependency. And it has another dependency:
> {code}
> <!-- dom4j is a dependency of poi-ooxml -->
> <dependency>
> <groupId>org.apache.poi</groupId>
> <artifactId>poi-ooxml</artifactId>
> <version>3.9</version>
> <exclusions>
> <exclusion>
> <groupId>xml-apis</groupId>
> <artifactId>xml-apis</artifactId>
> </exclusion>
> </exclusions>
> </dependency>
> {code}
> So, what happens is maven 3.2.1 adds xml-api as a compile dependency regardless if you exclude it from poi-ooxml.
> As far as I understood, maven is getting project A dependencies, and finds a _dom4j_. It was initially supposed to be [provided|http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope], but the compile dependency _poi-ooxml_ has _dom4j_ as a transitive compile dependency - so maven correctly updates _dom4j_ scope to compile.
> The problem is, because it's adding _dom4j_ to compile scope, it decides to upgrade _xml-api_ to a compile dependency, *even if we excluded it* in the first place.
> The obvious workaround is to exclude _dom4j_ from _poi-ooxml_.
> I'm not sure if this is the expected behaviour, or just a corner case. I couldn't find any valid documentation about that case.
> This is a possible duplicate of MNG-5404, but it looks slightly different. I wonder if they have the same root cause.
> To run the test attached, "mvn package dependency:tree" will do it. dependency:2.8:tree is showing the same resolution tree as maven itself.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)