You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Elliotte Rusty Harold (Jira)" <ji...@apache.org> on 2019/12/23 12:49:00 UTC

[jira] [Updated] (MNG-5622) Provided dependencies updated to 'compile' even when excluded

     [ https://issues.apache.org/jira/browse/MNG-5622?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Elliotte Rusty Harold updated MNG-5622:
---------------------------------------
    Labels: needs-attention  (was: )

> Provided dependencies updated to 'compile' even when excluded
> -------------------------------------------------------------
>
>                 Key: MNG-5622
>                 URL: https://issues.apache.org/jira/browse/MNG-5622
>             Project: Maven
>          Issue Type: Bug
>          Components: Dependencies
>    Affects Versions: 3.0.5, 3.2.1
>            Reporter: Cintia DR
>            Assignee: Jason van Zyl
>            Priority: Minor
>              Labels: needs-attention
>         Attachments: dependencies-maven.tar.gz
>
>
> I have a project A with the following dependency:
> {code}
>  <dependency>
>         <groupId>dom4j</groupId>
>         <artifactId>dom4j</artifactId>
>         <version>1.6.1</version>
>     </dependency>
> {code}
> _dom4j_ has a compile dependency _xml-api_. 
> In the project B, I use project A as a provided dependency. And it has another dependency:
> {code}
> <!-- dom4j is a dependency of poi-ooxml -->
>       <dependency>
>         <groupId>org.apache.poi</groupId>
>         <artifactId>poi-ooxml</artifactId>
>         <version>3.9</version>
>         <exclusions>
>           <exclusion>
>             <groupId>xml-apis</groupId>
>             <artifactId>xml-apis</artifactId>
>           </exclusion>
>         </exclusions> 
>       </dependency>
> {code}
> So, what happens is maven 3.2.1 adds xml-api as a compile dependency regardless if you exclude it from poi-ooxml. 
> As far as I understood, maven is getting project A dependencies, and finds a _dom4j_. It was initially supposed to be [provided|http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope], but the compile dependency _poi-ooxml_ has _dom4j_ as a transitive compile dependency - so maven correctly updates _dom4j_ scope to compile.
> The problem is, because it's adding _dom4j_ to compile scope, it decides to upgrade _xml-api_ to a compile dependency, *even if we excluded it* in the first place. 
> The obvious workaround is to exclude _dom4j_ from _poi-ooxml_.  
> I'm not sure if this is the expected behaviour, or just a corner case. I couldn't find any valid documentation about that case. 
> This is a possible duplicate of MNG-5404, but it looks slightly different. I wonder if they have the same root cause. 
> To run the test attached, "mvn package dependency:tree" will do it. dependency:2.8:tree is showing the same resolution tree as maven itself. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)