You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Petr Široký (Jira)" <ji...@apache.org> on 2022/12/29 21:40:00 UTC
[jira] [Commented] (MENFORCER-437) DependencyConvergence treats provided dependencies are runtime dependencies
[ https://issues.apache.org/jira/browse/MENFORCER-437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17652960#comment-17652960 ]
Petr Široký commented on MENFORCER-437:
---------------------------------------
It seems this specific issue is fixed – I tried to build Apache Flink from this commit [https://github.com/apache/flink/commit/00a25808dfac69ba8319b9c4dc365e13fd5b87d2] (which is the one before the workarounds applied - as described in the linked FLINK-29868), using the current {{3.2.0-SNAPSHOT}} version of the plugin and the error is gone.
That being said, the Flink build still fails during the {{DependencyConvergence}} check and I am not sure whether this is a bug in the enforcer rule or actual violation being reported correctly:
{code:java}
[INFO] --- maven-enforcer-plugin:3.2.0-SNAPSHOT:enforce (dependency-convergence) @ flink-sql-parser ---
[INFO] Executing rule: org.apache.maven.plugins.enforcer.DependencyConvergence
[WARNING]
Dependency convergence error for org.checkerframework:checker-qual:jar:2.11.1 paths to dependency are:
+-org.apache.flink:flink-sql-parser:jar:1.17-SNAPSHOT
+-org.apache.calcite:calcite-core:jar:1.27.0:compile
+-com.google.guava:guava:jar:29.0-jre:compile
+-org.checkerframework:checker-qual:jar:2.11.1:compile
and
+-org.apache.flink:flink-sql-parser:jar:1.17-SNAPSHOT
+-org.apache.calcite:calcite-core:jar:1.27.0:compile
+-org.checkerframework:checker-qual:jar:3.10.0:compile
[ERROR] Rule 0: org.apache.maven.plugins.enforcer.DependencyConvergence failed with message:
Failed while enforcing releasability. See above detailed error message. {code}
The pom.xml ([https://github.com/apache/flink/blob/00a25808dfac69ba8319b9c4dc365e13fd5b87d2/flink-table/flink-sql-parser/pom.xml#L50)] contains
{code:java}
...
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>${guava.version}</version>
<scope>provided</scope>
<exclusions>
<exclusion>
<groupId>org.checkerframework</groupId>
<artifactId>checker-qual</artifactId>
</exclusion>
</exclusions>
</dependency>
...{code}
Should the enforcer rule take into consideration the {{provided}} scope and the exclusion here? (this seems to be what {{3.1.0}} is doing, but I am not sure whether that's correct).
> DependencyConvergence treats provided dependencies are runtime dependencies
> ---------------------------------------------------------------------------
>
> Key: MENFORCER-437
> URL: https://issues.apache.org/jira/browse/MENFORCER-437
> Project: Maven Enforcer Plugin
> Issue Type: Bug
> Components: Standard Rules
> Affects Versions: 3.1.0
> Reporter: Chesnay Schepler
> Priority: Major
> Fix For: 3.2.0
>
>
> After upgrading from 3.0.0-M1 to 3.1.0 we started getting a dependency convergence error for a transitive {{provided}} dependencies on {{org.osgi.core}}.
> {code}
> ...
> +-org.xerial.snappy:snappy-java:jar:1.1.8.3:runtime
> +-org.osgi:org.osgi.core:jar:4.3.0:runtime
> ...
> +-org.apache.commons:commons-compress:jar:1.21:runtime
> +-org.osgi:org.osgi.core:jar:6.0.0:runtime
> {code}
> It's strange that is is shown here as a runtime dependency, when both snappy-java and commons-compress declare it as a provided dependency.
> In fact osgi doesn't show up in the dependency tree at all.
> Being a transitive provided dependency osgi will never be put on the classpath unless we manually put it there, so having to deal with such errors isn't ideal.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)