[jira] [Created] (TIKA-4534) tika-bom is managing versions of non-tika artifacts

Thu, 30 Oct 2025 03:45:06 -0700 

Christopher Lambert created TIKA-4534:
-----------------------------------------

             Summary: tika-bom is managing versions of non-tika artifacts
                 Key: TIKA-4534
                 URL: https://issues.apache.org/jira/browse/TIKA-4534
             Project: Tika
          Issue Type: Bug
          Components: packaging
    Affects Versions: 3.2.3
            Reporter: Christopher Lambert


in a private multi module maven project i wanted to manage versions of tika 
artifacts by importing the {{tika-bom}} of 3.2.3 in the parent pom.xml but 
suddenly modules that are not using tika at all no longer compiled.

looking at the dependency tree of those modules, it seems like many dependency 
versions suddenly got upgraded unintentionally:
{code:java}
< [INFO] |  +- jakarta.ws.rs:jakarta.ws.rs-api:jar:2.1.6:compile
---
> [INFO] |  +- jakarta.ws.rs:jakarta.ws.rs-api:jar:3.1.0:compile
42c47
< [INFO] |     \- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
---
> [INFO] |     \- jakarta.xml.bind:jakarta.xml.bind-api:jar:4.0.2:compile
96c101
< [INFO] |  +- commons-fileupload:commons-fileupload:jar:1.4:test
---
> [INFO] |  +- commons-fileupload:commons-fileupload:jar:1.6.0:test {code}
the problem is that the published {{tika-bom}} is referencing {{tika-parent}} 
where many other artifacts versions are enforced in the 
{{dependencyManagement}} section:

https://repo1.maven.org/maven2/org/apache/tika/tika-bom/3.2.3/tika-bom-3.2.3.pom

https://repo1.maven.org/maven2/org/apache/tika/tika-parent/3.2.3/tika-parent-3.2.3.pom

one can verify this locally by running:

 
{code:java}
./mvnw help:effective-pom -Dartifact=org.apache.tika:tika-bom:3.2.3 
-Doutput=tika-bom.txt{code}
 

and compare it to like:

 
{code:java}
./mvnw help:effective-pom -Dartifact=org.slf4j:slf4j-bom:2.0.17 
-Doutput=slf4j-bom.txt{code}
 

where only slf4j artifacts are in the {{dependencyManagement}} section of the 
effective pom.

see also [https://jlbp.dev/JLBP-15] which states:

??Unlike the module POMs of a Maven project, the BOM does not inherit from the 
parent POM that’s used for building other modules of the library. The reason is 
that a parent will have direct (and possibly transitive) dependencies in its 
{{<dependencyManagement>}} section to ensure that its build is consistent, but 
these dependency versions shouldn’t be imported by consumers who import the 
BOM.??



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to