You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Donatien RIVIERE (JIRA)" <ji...@apache.org> on 2019/03/13 17:01:00 UTC
[jira] [Updated] (MNG-6607) Transitive dependencies brought by
provided scope and compile scope are computed as compile scope
[ https://issues.apache.org/jira/browse/MNG-6607?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Donatien RIVIERE updated MNG-6607:
----------------------------------
Description:
We face an issue when a same +artifact-X+ is transitively brought by a +dependency-1+
with *provided* scope, and another +dependency-2+ with *default (compile)* scope.
This +artifact-X+ will be computed as *compile* scope, while we expect it to be explicitly provided by +dependency-1+.
For example, +dependency-1+ pom contains:
{code:xml}
<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.7</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.1</version>
</dependency>
</dependencies>
{code}
+dependency-2+ pom contains:
{code:xml}
<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.8</version>
</dependency>
</dependencies>
{code}
Assembly project pom contains:
{code:xml}
<dependencies>
<!-- do not include dependencies already provided by module-1 at runtime -->
<dependency>
<groupId>com.company</groupId>
<artifactId>module-1</artifactId>
<version>1.0</version>
<scope>provided</scope>
</dependency>
<!-- get dependencies required by module-2 runtime -->
<dependency>
<groupId>com.company</groupId>
<artifactId>module-2</artifactId>
<version>1.0</version>
</dependency>
</dependencies>
{code}
But a _mvn dependency:tree_ on assembly project will output:
{code}
[INFO] --- maven-dependency-plugin:3.1.0:tree (show-app-dependencies) @ module-3 ---
[INFO] com.company:module-3:pom:1.0
[INFO] +- com.company:module-1:jar:1.0:provided
[INFO] | +- org.apache.commons:commons-lang3:jar:3.7:compile
[INFO] | \- org.apache.commons:commons-collections4:jar:4.1:provided
[INFO] \- com.company:module-2:jar:1.0:compile
{code}
And we can see the artifact +commons-lang3:jar:3.7+ which come from +dependency-1+ is now at *compile* scope. Note that we don't use any dependency management here (see simple reproducer project in attachment).
This is confusing, and leads to duplicate libraries in runtime classpath when +dependency-1+ is effectively provided in classpath of +dependency-2+ runtime (for example by an application server).
Moreover, based on Maven documentation about dependency mediation/scope, the transitive dependencies that are provided should be always *ommited*.
http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope
Then, how to package ONLY the libraries defined as compile/runtime (and ignore all the provided ones, and their transitives) ??
was:
We face an issue when a same +artifact-X+ is transitively brought by a +dependency-1+
with *provided* scope, and another +dependency-2+ with *default (compile)* scope.
This +artifact-X+ will be computed as *compile* scope, while we expect it to be explicitly provided by +dependency-1+.
For example, +dependency-1+ pom contains:
{code:xml}
<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.7</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.1</version>
</dependency>
</dependencies>
{code}
+dependency-2+ pom contains:
{code:xml}
<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.8</version>
</dependency>
</dependencies>
{code}
Assembly project pom contains:
{code:xml}
<dependencies>
<!-- do not include dependencies already provided by module-1 at runtime -->
<dependency>
<groupId>com.company</groupId>
<artifactId>module-1</artifactId>
<version>1.0</version>
<scope>provided</scope>
</dependency>
<!-- get dependencies required by module-2 runtime -->
<dependency>
<groupId>com.company</groupId>
<artifactId>module-2</artifactId>
<version>1.0</version>
</dependency>
</dependencies>
{code}
But a _mvn dependency:tree_ on assembly project will output:
{code}
[INFO] --- maven-dependency-plugin:3.1.0:tree (show-app-dependencies) @ module-3 ---
[INFO] com.company:module-3:pom:1.0
[INFO] +- com.company:module-1:jar:1.0:provided
[INFO] | +- org.apache.commons:commons-lang3:jar:3.7:compile
[INFO] | \- org.apache.commons:commons-collections4:jar:4.1:provided
[INFO] \- com.company:module-2:jar:1.0:compile
{code}
And we can see the artifact `commons-lang3:jar:3.7` which come from dependency-1 is now at **compile** scope. Note that we don't use any `<dependencyManagement>` here.
This is very confusing, and leads to duplicate libraries in runtime classpath when `dependency-1` is effectively provided in classpath of `dependency-2` runtime (for example by an application server).
Moreover, based on Maven documentation about dependency mediation/scope, the transitive dependencies that are provided should be always **ommited**.
http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope
Then, how to package ONLY the libraries defined as compile/runtime (and ignore all the provided ones, and their transitives) ??
> Transitive dependencies brought by provided scope and compile scope are computed as compile scope
> -------------------------------------------------------------------------------------------------
>
> Key: MNG-6607
> URL: https://issues.apache.org/jira/browse/MNG-6607
> Project: Maven
> Issue Type: Bug
> Components: Dependencies
> Affects Versions: 3.3.9, 3.5.0, 3.6.0
> Environment: maven-3.3.9 to maven-3.6.0
> Reporter: Donatien RIVIERE
> Priority: Major
> Attachments: test-dependencies-project.zip
>
>
> We face an issue when a same +artifact-X+ is transitively brought by a +dependency-1+
> with *provided* scope, and another +dependency-2+ with *default (compile)* scope.
> This +artifact-X+ will be computed as *compile* scope, while we expect it to be explicitly provided by +dependency-1+.
> For example, +dependency-1+ pom contains:
> {code:xml}
> <dependencies>
> <dependency>
> <groupId>org.apache.commons</groupId>
> <artifactId>commons-lang3</artifactId>
> <version>3.7</version>
> </dependency>
> <dependency>
> <groupId>org.apache.commons</groupId>
> <artifactId>commons-collections4</artifactId>
> <version>4.1</version>
> </dependency>
> </dependencies>
> {code}
> +dependency-2+ pom contains:
> {code:xml}
> <dependencies>
> <dependency>
> <groupId>org.apache.commons</groupId>
> <artifactId>commons-lang3</artifactId>
> <version>3.8</version>
> </dependency>
> </dependencies>
> {code}
> Assembly project pom contains:
> {code:xml}
> <dependencies>
> <!-- do not include dependencies already provided by module-1 at runtime -->
> <dependency>
> <groupId>com.company</groupId>
> <artifactId>module-1</artifactId>
> <version>1.0</version>
> <scope>provided</scope>
> </dependency>
> <!-- get dependencies required by module-2 runtime -->
> <dependency>
> <groupId>com.company</groupId>
> <artifactId>module-2</artifactId>
> <version>1.0</version>
> </dependency>
> </dependencies>
> {code}
> But a _mvn dependency:tree_ on assembly project will output:
> {code}
> [INFO] --- maven-dependency-plugin:3.1.0:tree (show-app-dependencies) @ module-3 ---
> [INFO] com.company:module-3:pom:1.0
> [INFO] +- com.company:module-1:jar:1.0:provided
> [INFO] | +- org.apache.commons:commons-lang3:jar:3.7:compile
> [INFO] | \- org.apache.commons:commons-collections4:jar:4.1:provided
> [INFO] \- com.company:module-2:jar:1.0:compile
> {code}
> And we can see the artifact +commons-lang3:jar:3.7+ which come from +dependency-1+ is now at *compile* scope. Note that we don't use any dependency management here (see simple reproducer project in attachment).
> This is confusing, and leads to duplicate libraries in runtime classpath when +dependency-1+ is effectively provided in classpath of +dependency-2+ runtime (for example by an application server).
> Moreover, based on Maven documentation about dependency mediation/scope, the transitive dependencies that are provided should be always *ommited*.
> http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope
> Then, how to package ONLY the libraries defined as compile/runtime (and ignore all the provided ones, and their transitives) ??
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)