You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Michael Osipov (Jira)" <ji...@apache.org> on 2020/06/09 21:02:00 UTC
[jira] [Commented] (MNG-5622) Provided dependencies updated to
'compile' even when excluded
[ https://issues.apache.org/jira/browse/MNG-5622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17129801#comment-17129801 ]
Michael Osipov commented on MNG-5622:
-------------------------------------
This is the tree I see with Maven 3.7.0-SNAPSHOT:
{noformat}
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ example-excluding-jar ---
[INFO] com.mycompany.app:example-excluding-jar:jar:1.0-SNAPSHOT
[INFO] +- com.mycompany.app:example-provided-jar:jar:1.0-SNAPSHOT:provided
[INFO] | \- dom4j:dom4j:jar:1.6.1:compile
[INFO] | \- xml-apis:xml-apis:jar:1.0.b2:compile
[INFO] +- junit:junit:jar:3.8.1:test
[INFO] \- org.apache.poi:poi-ooxml:jar:3.9:compile
[INFO] +- org.apache.poi:poi:jar:3.9:compile
[INFO] | \- commons-codec:commons-codec:jar:1.5:compile
[INFO] \- org.apache.poi:poi-ooxml-schemas:jar:3.9:compile
[INFO] \- org.apache.xmlbeans:xmlbeans:jar:2.3.0:compile
[INFO] \- stax:stax-api:jar:1.0.1:compile
{noformat}
Please provide a mockup tree you expect to see.
> Provided dependencies updated to 'compile' even when excluded
> -------------------------------------------------------------
>
> Key: MNG-5622
> URL: https://issues.apache.org/jira/browse/MNG-5622
> Project: Maven
> Issue Type: Bug
> Components: Dependencies
> Affects Versions: 3.0.5, 3.2.1
> Reporter: Cintia DR
> Priority: Minor
> Labels: needs-attention
> Attachments: dependencies-maven.tar.gz
>
>
> I have a project A with the following dependency:
> {code}
> <dependency>
> <groupId>dom4j</groupId>
> <artifactId>dom4j</artifactId>
> <version>1.6.1</version>
> </dependency>
> {code}
> _dom4j_ has a compile dependency _xml-api_.
> In the project B, I use project A as a provided dependency. And it has another dependency:
> {code}
> <!-- dom4j is a dependency of poi-ooxml -->
> <dependency>
> <groupId>org.apache.poi</groupId>
> <artifactId>poi-ooxml</artifactId>
> <version>3.9</version>
> <exclusions>
> <exclusion>
> <groupId>xml-apis</groupId>
> <artifactId>xml-apis</artifactId>
> </exclusion>
> </exclusions>
> </dependency>
> {code}
> So, what happens is maven 3.2.1 adds xml-api as a compile dependency regardless if you exclude it from poi-ooxml.
> As far as I understood, maven is getting project A dependencies, and finds a _dom4j_. It was initially supposed to be [provided|http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope], but the compile dependency _poi-ooxml_ has _dom4j_ as a transitive compile dependency - so maven correctly updates _dom4j_ scope to compile.
> The problem is, because it's adding _dom4j_ to compile scope, it decides to upgrade _xml-api_ to a compile dependency, *even if we excluded it* in the first place.
> The obvious workaround is to exclude _dom4j_ from _poi-ooxml_.
> I'm not sure if this is the expected behaviour, or just a corner case. I couldn't find any valid documentation about that case.
> This is a possible duplicate of MNG-5404, but it looks slightly different. I wonder if they have the same root cause.
> To run the test attached, "mvn package dependency:tree" will do it. dependency:2.8:tree is showing the same resolution tree as maven itself.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)