You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Elliotte Rusty Harold (Jira)" <ji...@apache.org> on 2023/04/08 11:00:00 UTC
[jira] [Closed] (MPIR-430) Dependency Convergence calculation should ignore 'provided' direct and transitive dependencies
[ https://issues.apache.org/jira/browse/MPIR-430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Elliotte Rusty Harold closed MPIR-430.
--------------------------------------
> Dependency Convergence calculation should ignore 'provided' direct and transitive dependencies
> ----------------------------------------------------------------------------------------------
>
> Key: MPIR-430
> URL: https://issues.apache.org/jira/browse/MPIR-430
> Project: Maven Project Info Reports Plugin
> Issue Type: Bug
> Components: dependency-convergence
> Affects Versions: 3.4.2
> Reporter: Dave Wichers
> Priority: Minor
>
> If a direct or transitive dependency is 'provided', then excluding it has no affect I believe. As an example, this other Apache project: [https://maven.apache.org/enforcer/enforcer-rules/dependencyConvergence.html] - when it calculates enforcement of dependency convergence, it already ignores 'provided' dependencies. I have a project I'm supporting called ESAPI, and if you look at its pom here: [https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#L165,] you'll see this pom excludes a dependency for the 'provided' dependency javax.servlet.jsp-api. The project does this to get 100% convergence for the MPIR convergence report even though 'excluding' this transitive dependency has no actual affect.
> When I drop this exclusion, the 100% convergence requirement enforced by the maven enforcer plugin per: [https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#570] still passes.
> There is also a 'provided' transitive dependency of a real dependency here that we have to exclude: [https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#189] (the xml-api exclusion).
> These two exclusions are really unnecessary.
> Can you enhance the dependency convergence calculations of the MPIR plugin to ignore all direct or transitive 'provided' dependencies to match the behavior of the Maven Enforcer Plugin?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)