[
https://issues.apache.org/jira/browse/TIKA-4534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Christopher Lambert updated TIKA-4534:
--------------------------------------
Description:
in a private multi module maven project i wanted to manage versions of tika
artifacts by importing the {{tika-bom}} of 3.2.3 in the parent pom.xml:
{code:java}
<dependencyManagement>
<dependencies>
(...)
<dependency>
<groupId>org.apache.tika</groupId>
<artifactId>tika-bom</artifactId>
<version>3.2.3</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>{code}
but suddenly modules that are not using tika at all no longer compiled.
looking at the dependency tree of those modules, it seems like many dependency
versions suddenly got upgraded unintentionally:
{code:java}
< [INFO] | +- jakarta.ws.rs:jakarta.ws.rs-api:jar:2.1.6:compile
---
> [INFO] | +- jakarta.ws.rs:jakarta.ws.rs-api:jar:3.1.0:compile
42c47
< [INFO] | \- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
---
> [INFO] | \- jakarta.xml.bind:jakarta.xml.bind-api:jar:4.0.2:compile
96c101
< [INFO] | +- commons-fileupload:commons-fileupload:jar:1.4:test
---
> [INFO] | +- commons-fileupload:commons-fileupload:jar:1.6.0:test {code}
the problem is that the published {{tika-bom}} is referencing {{tika-parent}}
where many other artifacts versions are enforced in the
{{dependencyManagement}} section:
[https://repo1.maven.org/maven2/org/apache/tika/tika-bom/3.2.3/tika-bom-3.2.3.pom]
[https://repo1.maven.org/maven2/org/apache/tika/tika-parent/3.2.3/tika-parent-3.2.3.pom]
one can verify this locally by running:
{code:java}
./mvnw help:effective-pom -Dartifact=org.apache.tika:tika-bom:3.2.3
-Doutput=tika-bom.txt{code}
and compare it to like:
{code:java}
./mvnw help:effective-pom -Dartifact=org.slf4j:slf4j-bom:2.0.17
-Doutput=slf4j-bom.txt{code}
where only slf4j artifacts are in the {{dependencyManagement}} section of the
effective pom.
see also [https://jlbp.dev/JLBP-15] which states:
??Unlike the module POMs of a Maven project, the BOM does not inherit from the
parent POM that’s used for building other modules of the library. The reason is
that a parent will have direct (and possibly transitive) dependencies in its
{{<dependencyManagement>}} section to ensure that its build is consistent, but
these dependency versions shouldn’t be imported by consumers who import the
BOM.??
was:
in a private multi module maven project i wanted to manage versions of tika
artifacts by importing the {{tika-bom}} of 3.2.3 in the parent pom.xml but
suddenly modules that are not using tika at all no longer compiled.
looking at the dependency tree of those modules, it seems like many dependency
versions suddenly got upgraded unintentionally:
{code:java}
< [INFO] | +- jakarta.ws.rs:jakarta.ws.rs-api:jar:2.1.6:compile
---
> [INFO] | +- jakarta.ws.rs:jakarta.ws.rs-api:jar:3.1.0:compile
42c47
< [INFO] | \- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
---
> [INFO] | \- jakarta.xml.bind:jakarta.xml.bind-api:jar:4.0.2:compile
96c101
< [INFO] | +- commons-fileupload:commons-fileupload:jar:1.4:test
---
> [INFO] | +- commons-fileupload:commons-fileupload:jar:1.6.0:test {code}
the problem is that the published {{tika-bom}} is referencing {{tika-parent}}
where many other artifacts versions are enforced in the
{{dependencyManagement}} section:
https://repo1.maven.org/maven2/org/apache/tika/tika-bom/3.2.3/tika-bom-3.2.3.pom
https://repo1.maven.org/maven2/org/apache/tika/tika-parent/3.2.3/tika-parent-3.2.3.pom
one can verify this locally by running:
{code:java}
./mvnw help:effective-pom -Dartifact=org.apache.tika:tika-bom:3.2.3
-Doutput=tika-bom.txt{code}
and compare it to like:
{code:java}
./mvnw help:effective-pom -Dartifact=org.slf4j:slf4j-bom:2.0.17
-Doutput=slf4j-bom.txt{code}
where only slf4j artifacts are in the {{dependencyManagement}} section of the
effective pom.
see also [https://jlbp.dev/JLBP-15] which states:
??Unlike the module POMs of a Maven project, the BOM does not inherit from the
parent POM that’s used for building other modules of the library. The reason is
that a parent will have direct (and possibly transitive) dependencies in its
{{<dependencyManagement>}} section to ensure that its build is consistent, but
these dependency versions shouldn’t be imported by consumers who import the
BOM.??
> tika-bom is managing versions of non-tika artifacts
> ---------------------------------------------------
>
> Key: TIKA-4534
> URL: https://issues.apache.org/jira/browse/TIKA-4534
> Project: Tika
> Issue Type: Bug
> Components: packaging
> Affects Versions: 3.2.3
> Reporter: Christopher Lambert
> Priority: Major
>
> in a private multi module maven project i wanted to manage versions of tika
> artifacts by importing the {{tika-bom}} of 3.2.3 in the parent pom.xml:
> {code:java}
> <dependencyManagement>
> <dependencies>
> (...)
> <dependency>
> <groupId>org.apache.tika</groupId>
> <artifactId>tika-bom</artifactId>
> <version>3.2.3</version>
> <type>pom</type>
> <scope>import</scope>
> </dependency>
> </dependencies>
> </dependencyManagement>{code}
> but suddenly modules that are not using tika at all no longer compiled.
> looking at the dependency tree of those modules, it seems like many
> dependency versions suddenly got upgraded unintentionally:
> {code:java}
> < [INFO] | +- jakarta.ws.rs:jakarta.ws.rs-api:jar:2.1.6:compile
> ---
> > [INFO] | +- jakarta.ws.rs:jakarta.ws.rs-api:jar:3.1.0:compile
> 42c47
> < [INFO] | \- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
> ---
> > [INFO] | \- jakarta.xml.bind:jakarta.xml.bind-api:jar:4.0.2:compile
> 96c101
> < [INFO] | +- commons-fileupload:commons-fileupload:jar:1.4:test
> ---
> > [INFO] | +- commons-fileupload:commons-fileupload:jar:1.6.0:test {code}
> the problem is that the published {{tika-bom}} is referencing {{tika-parent}}
> where many other artifacts versions are enforced in the
> {{dependencyManagement}} section:
> [https://repo1.maven.org/maven2/org/apache/tika/tika-bom/3.2.3/tika-bom-3.2.3.pom]
> [https://repo1.maven.org/maven2/org/apache/tika/tika-parent/3.2.3/tika-parent-3.2.3.pom]
> one can verify this locally by running:
> {code:java}
> ./mvnw help:effective-pom -Dartifact=org.apache.tika:tika-bom:3.2.3
> -Doutput=tika-bom.txt{code}
> and compare it to like:
> {code:java}
> ./mvnw help:effective-pom -Dartifact=org.slf4j:slf4j-bom:2.0.17
> -Doutput=slf4j-bom.txt{code}
> where only slf4j artifacts are in the {{dependencyManagement}} section of the
> effective pom.
> see also [https://jlbp.dev/JLBP-15] which states:
> ??Unlike the module POMs of a Maven project, the BOM does not inherit from
> the parent POM that’s used for building other modules of the library. The
> reason is that a parent will have direct (and possibly transitive)
> dependencies in its {{<dependencyManagement>}} section to ensure that its
> build is consistent, but these dependency versions shouldn’t be imported by
> consumers who import the BOM.??
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
