You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Joerg Schaible (JIRA)" <ji...@apache.org> on 2017/10/24 10:09:00 UTC

[jira] [Comment Edited] (MNG-6141) Dependency management overrides are not transitive and should be considered an anti-pattern.

    [ https://issues.apache.org/jira/browse/MNG-6141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16216635#comment-16216635 ] 

Joerg Schaible edited comment on MNG-6141 at 10/24/17 10:08 AM:
----------------------------------------------------------------

Extended example, where
* parent inherits maven-parent and manages junit,
* module-1 overrides plexus-component-annotations (managed by maven-parent) and manages plexus-utils with a depMgmt section and
* a new module-3 (without a parent) using module-1.

{code:title=Module 1}
[DEBUG] localhost:module-1:jar:1.0-SNAPSHOT
[DEBUG]    org.codehaus.plexus:plexus-component-annotations:jar:1.5.0:compile
[DEBUG]       junit:junit:jar:3.8.1:compile (version managed from 3.8.2 by localhost:parent:1.0-SNAPSHOT)
[DEBUG]    org.apache.maven:maven-plugin-api:jar:3.0:compile
[DEBUG]       org.apache.maven:maven-model:jar:3.0:compile
[DEBUG]          org.codehaus.plexus:plexus-utils:jar:2.0.7:compile (version managed from 2.0.4 by localhost:module-1:1.0-SNAPSHOT)
[DEBUG]       org.apache.maven:maven-artifact:jar:3.0:compile
[DEBUG]       org.sonatype.sisu:sisu-inject-plexus:jar:1.4.2:compile
[DEBUG]          org.codehaus.plexus:plexus-classworlds:jar:2.2.3:compile
[DEBUG]          org.sonatype.sisu:sisu-inject-bean:jar:1.4.2:compile
[DEBUG]             org.sonatype.sisu:sisu-guice:jar:noaop:2.1.7:compile
{code}

Module-3 obviously uses wrong plexus-utils and junit versions, but at least the correct version of maven-plugin-api and plexus-component-annotations:

{code:title=Module 3}
[DEBUG] localhost:module-3:jar:1.0-SNAPSHOT
[DEBUG]    localhost:module-1:jar:1.0-SNAPSHOT:compile
[DEBUG]       org.codehaus.plexus:plexus-component-annotations:jar:1.5.0:compile
[DEBUG]          junit:junit:jar:3.8.2:compile
[DEBUG]       org.apache.maven:maven-plugin-api:jar:3.0:compile
[DEBUG]          org.apache.maven:maven-model:jar:3.0:compile
[DEBUG]             org.codehaus.plexus:plexus-utils:jar:2.0.4:compile
[DEBUG]          org.apache.maven:maven-artifact:jar:3.0:compile
[DEBUG]          org.sonatype.sisu:sisu-inject-plexus:jar:1.4.2:compile
[DEBUG]             org.codehaus.plexus:plexus-classworlds:jar:2.2.3:compile
[DEBUG]             org.sonatype.sisu:sisu-inject-bean:jar:1.4.2:compile
[DEBUG]                org.sonatype.sisu:sisu-guice:jar:noaop:2.1.7:compile
{code}

Generated with Maven 3.3.9.

If I understand you proposal now correctly, you would like to forbid the local overriding of maven-plugin-api, which is ignored for module-2, but respected for module-3. OTOH module-3 exposes different problems, since the active depMgmt sections of a dependency itself are not considered.

One use case, where I use a local overriding also actively, is for testing a different version of a dependency. Existing unit test may reveal a different behaviour.


was (Author: joehni):
Extended example, where
* parent inherits maven-parent and manages junit,
* module-1 overrides plexus-component-annotations (managed by maven-parent) and manages plexus-utils with a depMgmt section and
* a new module-3 (without a parent) using module-1.

{code:title=Module 1}
[DEBUG] localhost:module-1:jar:1.0-SNAPSHOT
[DEBUG]    org.codehaus.plexus:plexus-component-annotations:jar:1.5.0:compile
[DEBUG]       junit:junit:jar:3.8.1:compile (version managed from 3.8.2 by localhost:parent:1.0-SNAPSHOT)
[DEBUG]    org.apache.maven:maven-plugin-api:jar:3.0:compile
[DEBUG]       org.apache.maven:maven-model:jar:3.0:compile
[DEBUG]          org.codehaus.plexus:plexus-utils:jar:2.0.7:compile (version managed from 2.0.4 by localhost:module-1:1.0-SNAPSHOT)
[DEBUG]       org.apache.maven:maven-artifact:jar:3.0:compile
[DEBUG]       org.sonatype.sisu:sisu-inject-plexus:jar:1.4.2:compile
[DEBUG]          org.codehaus.plexus:plexus-classworlds:jar:2.2.3:compile
[DEBUG]          org.sonatype.sisu:sisu-inject-bean:jar:1.4.2:compile
[DEBUG]             org.sonatype.sisu:sisu-guice:jar:noaop:2.1.7:compile
{code}

Module-3 obviously uses wrong plexus-utils and junit versions, but at least the correct version of maven-plugin-api:

{code:title=Module 3}
[DEBUG] localhost:module-3:jar:1.0-SNAPSHOT
[DEBUG]    localhost:module-1:jar:1.0-SNAPSHOT:compile
[DEBUG]       org.codehaus.plexus:plexus-component-annotations:jar:1.5.0:compile
[DEBUG]          junit:junit:jar:3.8.2:compile
[DEBUG]       org.apache.maven:maven-plugin-api:jar:3.0:compile
[DEBUG]          org.apache.maven:maven-model:jar:3.0:compile
[DEBUG]             org.codehaus.plexus:plexus-utils:jar:2.0.4:compile
[DEBUG]          org.apache.maven:maven-artifact:jar:3.0:compile
[DEBUG]          org.sonatype.sisu:sisu-inject-plexus:jar:1.4.2:compile
[DEBUG]             org.codehaus.plexus:plexus-classworlds:jar:2.2.3:compile
[DEBUG]             org.sonatype.sisu:sisu-inject-bean:jar:1.4.2:compile
[DEBUG]                org.sonatype.sisu:sisu-guice:jar:noaop:2.1.7:compile
{code}

Generated with Maven 3.3.9.

If I understand you proposal now correctly, you would like to forbid the local overriding of maven-plugin-api, which is ignored for module-2, but respected for module-3. OTOH module-3 exposes different problems, since the active depMgmt sections of a dependency itself are not considered.

One use case, where I use a local overriding also actively, is for testing a different version of a dependency. Existing unit test may reveal a different behaviour.

> Dependency management overrides are not transitive and should be considered an anti-pattern.
> --------------------------------------------------------------------------------------------
>
>                 Key: MNG-6141
>                 URL: https://issues.apache.org/jira/browse/MNG-6141
>             Project: Maven
>          Issue Type: Bug
>            Reporter: Christian Schulte
>            Priority: Critical
>         Attachments: MNG-6141-3.zip, MNG-6141.zip
>
>
> Overriding the dependency management in a module's {{<dependencies>}} section, the overridden value will not be preserved transitively. It makes no sense to be able to override the dependency management in a module if that is only effective in that module and nowhere else. Overriding the dependency management from inside a {{<dependencies>}} element should be considered an anti-pattern. Maven should provide a warning when it is used. During the development of Maven 3.4, there have been quite a few discussions on dev@ about build issues which were all caused by overriding the dependency management that way without noticing this is not supported transitively.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)