[jira] [Commented] (TIKA-3934) Reogranize POMs parent chain to avoid leaking dependency management downstream

[Konstantin Gribov (Jira)]

    [ 
https://issues.apache.org/jira/browse/TIKA-3934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17636242#comment-17636242
 ] 

Konstantin Gribov commented on TIKA-3934:
-----------------------------------------

It seems that it doesn't, if I have import for {{org.apache.tika:tika-bom}} and 
add {{org.apache.tika:tika-core}} and {{io.netty:netty-buffer}} without 
versions both Maven and Gradle build will fail.

On the other hand {{log4j-core}} version (and version constraint in Gradle 
case) leaks from {{tika-parent}} via {{tika-bom}}.

||Type||Use BOM||tika-core||log4j-core||Result||
|Maven|yes|-|-|log4j-api 2.19.0, log4j-core 2.19.0|
|Maven|yes|-|2.18.0|log4j-api 2.19.0, log4j-core 2.18.0|
|Maven|no|2.6.0.|2.18.0|log4j-api 2.18.0, log4j-core 2.18.0|
|Gradle|yes|-|-|log4j-api 2.19.0, log4j-core 2.19.0|
|Gradle|yes|-|2.18.0|log4j-api 2.19.0, log4j-core 2.19.0|
|Gradle|no|2.6.0|2.18.0|log4j-api 2.18.0, log4j-core 2.18.0|

Test Maven project (run {{mvn package}} to see actual dependencies in the 
output):

{code:xml|title=pom.xml}
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0";
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
http://maven.apache.org/xsd/maven-4.0.0.xsd";>
  <modelVersion>4.0.0</modelVersion>

  <groupId>org.example</groupId>
  <artifactId>bom-test</artifactId>
  <version>1.0-SNAPSHOT</version>

  <properties>
    <maven.compiler.source>17</maven.compiler.source>
    <maven.compiler.target>17</maven.compiler.target>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
  </properties>

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.apache.tika</groupId>
        <artifactId>tika-bom</artifactId>
        <version>2.6.0</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>
    </dependencies>
  </dependencyManagement>

  <dependencies>
    <dependency>
      <groupId>org.apache.tika</groupId>
      <artifactId>tika-core</artifactId>
      <!--<version>2.6.0</version>-->
    </dependency>

    <dependency>
      <groupId>org.apache.logging.log4j</groupId>
      <artifactId>log4j-core</artifactId>
      <!--<version>2.18.0</version>-->
    </dependency>
  </dependencies>

  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-dependency-plugin</artifactId>
        <version>3.3.0</version>
        <executions>
          <execution>
            <id>test</id>
            <phase>package</phase>
            <goals>
              <goal>copy-dependencies</goal>
            </goals>
            <configuration>
              <outputDirectory>${project.build.directory}/deps</outputDirectory>
            </configuration>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
</project>
{code}

Gradle test project (run {{gradle dependencyInsight --dependency log4j}} or 
{{gradle dependencies --configuration rC}}):

{code:kotlin|title=settings.gradle.kts}
dependencyResolutionManagement {
  repositories.mavenCentral()
}
{code}

{code:kotlin|title=build.gradle.kts}
plugins {
  `java-library`
}

dependencies {
  api(platform("org.apache.tika:tika-bom:2.6.0"))
  api("org.apache.tika:tika-core")
  implementation("org.apache.logging.log4j:log4j-core:2.18.0")
}
{code}

> Reogranize POMs parent chain to avoid leaking dependency management downstream
> ------------------------------------------------------------------------------
>
>                 Key: TIKA-3934
>                 URL: https://issues.apache.org/jira/browse/TIKA-3934
>             Project: Tika
>          Issue Type: Improvement
>          Components: depedency
>    Affects Versions: 2.6.0
>            Reporter: Konstantin Gribov
>            Assignee: Konstantin Gribov
>            Priority: Major
>             Fix For: 2.6.1, 2.7.0
>
>
> Tika's BOM (Bill of Materials) artifact has {{tika-parent}} as a parent POM 
> and thus forces a lot of dependency versions on downstream users. 
> For example if one use only PDF module there's no reason to force 
> Netty/Jetty/CXF/whatever versions.
> I propose the following:
> * make {{tika}} reactor depend on {{tika-parent}} and all other {{tika-*}} 
> modules on the reactor
> * move all our dependency management and build related configuration to the 
> reactor ({{tika}} root project)
> I've started these work last week and will publish first PR for review soon. 
> Moving parts from {{tika-parent}} to {{tika}} may take some time so little 
> steps without build disruption is a must



--
This message was sent by Atlassian Jira
(v8.20.10#820010)