You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Elliotte Rusty Harold (Jira)" <ji...@apache.org> on 2023/04/08 11:00:00 UTC

[jira] [Closed] (MPIR-430) Dependency Convergence calculation should ignore 'provided' direct and transitive dependencies

     [ https://issues.apache.org/jira/browse/MPIR-430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Elliotte Rusty Harold closed MPIR-430.
--------------------------------------

> Dependency Convergence calculation should ignore 'provided' direct and transitive dependencies
> ----------------------------------------------------------------------------------------------
>
>                 Key: MPIR-430
>                 URL: https://issues.apache.org/jira/browse/MPIR-430
>             Project: Maven Project Info Reports Plugin
>          Issue Type: Bug
>          Components: dependency-convergence
>    Affects Versions: 3.4.2
>            Reporter: Dave Wichers
>            Priority: Minor
>
> If a direct or transitive dependency is 'provided', then excluding it has no affect I believe. As an example, this other Apache project: [https://maven.apache.org/enforcer/enforcer-rules/dependencyConvergence.html] - when it calculates enforcement of dependency convergence, it already ignores 'provided' dependencies.  I have a project I'm supporting called ESAPI, and if you look at its pom here: [https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#L165,] you'll see this pom excludes a dependency for the 'provided' dependency javax.servlet.jsp-api.   The project does this to get 100% convergence for the MPIR convergence report even though 'excluding' this transitive dependency has no actual affect.
> When I drop this exclusion, the 100% convergence requirement enforced by the maven enforcer plugin per: [https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#570] still passes.
> There is also a 'provided' transitive dependency of a real dependency here that we have to exclude: [https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#189] (the xml-api exclusion).
> These two exclusions are really unnecessary.
> Can you enhance the dependency convergence calculations of the MPIR plugin to ignore all direct or transitive 'provided' dependencies to match the behavior of the Maven Enforcer Plugin?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)