[jira] [Created] (MPIR-430) Dependency Convergence calculation should ignore 'provided' direct and transitive dependencies

["Dave Wichers (Jira)" <ji...@apache.org>]

Dave Wichers created MPIR-430:
---------------------------------

             Summary: Dependency Convergence calculation should ignore 'provided' direct and transitive dependencies
                 Key: MPIR-430
                 URL: https://issues.apache.org/jira/browse/MPIR-430
             Project: Maven Project Info Reports Plugin
          Issue Type: Bug
          Components: dependency-convergence
    Affects Versions: 3.4.2
            Reporter: Dave Wichers


If a direct or transitive dependency is 'provided', then excluding it has no affect I believe. As an example, this other Apache project: [https://maven.apache.org/enforcer/enforcer-rules/dependencyConvergence.html] - when it calculates enforcement of dependency convergence, it already ignores 'provided' dependencies.  I have a project I'm supporting called ESAPI, and if you look at its pom here: [https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#L165,] you'll see this pom excludes a dependency for the 'provided' dependency javax.servlet.jsp-api.   The project does this to get 100% convergence for the MPIR convergence report even though 'excluding' this transitive dependency has no actual affect.

When I drop this exclusion, the 100% convergence requirement enforced by the maven enforcer plugin per: [https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#570] still passes.

There is also a 'provided' transitive dependency of a real dependency here that we have to exclude: [https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#189] (the xml-api exclusion).

These two exclusions are really unnecessary.

Can you enhance the dependency convergence calculations of the MPIR plugin to ignore all direct or transitive 'provided' dependencies to match the behavior of the Maven Enforcer Plugin?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)