[
https://issues.apache.org/jira/browse/TIKA-4534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18034150#comment-18034150
]
ASF GitHub Bot commented on TIKA-4534:
--------------------------------------
tballison opened a new pull request, #2380:
URL: https://github.com/apache/tika/pull/2380
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
Thanks for your contribution to [Apache Tika](https://tika.apache.org/)!
Your help is appreciated!
Before opening the pull request, please verify that
* there is an open issue on the [Tika issue
tracker](https://issues.apache.org/jira/projects/TIKA) which describes the
problem or the improvement. We cannot accept pull requests without an issue
because the change wouldn't be listed in the release notes.
* the issue ID (`TIKA-XXXX`)
- is referenced in the title of the pull request
- and placed in front of your commit messages surrounded by square
brackets (`[TIKA-XXXX] Issue or pull request title`)
* commits are squashed into a single one (or few commits for larger changes)
* Tika is successfully built and unit tests pass by running `mvn clean test`
* there should be no conflicts when merging the pull request branch into the
*recent* `main` branch. If there are conflicts, please try to rebase the pull
request branch on top of a freshly pulled `main` branch
* if you add new module that downstream users will depend upon add it to
relevant group in `tika-bom/pom.xml`.
We will be able to faster integrate your pull request if these conditions
are met. If you have any questions how to fix your problem or about using Tika
in general, please sign up for the [Tika mailing
list](http://tika.apache.org/mail-lists.html). Thanks!
> tika-bom is managing versions of non-tika artifacts
> ---------------------------------------------------
>
> Key: TIKA-4534
> URL: https://issues.apache.org/jira/browse/TIKA-4534
> Project: Tika
> Issue Type: Bug
> Components: packaging
> Affects Versions: 3.2.3
> Reporter: Christopher Lambert
> Priority: Major
>
> in a private multi module maven project i wanted to manage versions of tika
> artifacts by importing the {{tika-bom}} of 3.2.3 in the parent pom.xml:
> {code:java}
> <dependencyManagement>
> <dependencies>
> (...)
> <dependency>
> <groupId>org.apache.tika</groupId>
> <artifactId>tika-bom</artifactId>
> <version>3.2.3</version>
> <type>pom</type>
> <scope>import</scope>
> </dependency>
> </dependencies>
> </dependencyManagement>{code}
> but suddenly modules that are not using tika at all no longer compiled.
> looking at the dependency tree of those modules, it seems like many
> dependency versions suddenly got upgraded unintentionally:
> {code:java}
> < [INFO] | +- jakarta.ws.rs:jakarta.ws.rs-api:jar:2.1.6:compile
> ---
> > [INFO] | +- jakarta.ws.rs:jakarta.ws.rs-api:jar:3.1.0:compile
> 42c47
> < [INFO] | \- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
> ---
> > [INFO] | \- jakarta.xml.bind:jakarta.xml.bind-api:jar:4.0.2:compile
> 96c101
> < [INFO] | +- commons-fileupload:commons-fileupload:jar:1.4:test
> ---
> > [INFO] | +- commons-fileupload:commons-fileupload:jar:1.6.0:test {code}
> the problem is that the published {{tika-bom}} is referencing {{tika-parent}}
> where many other artifacts versions are enforced in the
> {{dependencyManagement}} section:
> [https://repo1.maven.org/maven2/org/apache/tika/tika-bom/3.2.3/tika-bom-3.2.3.pom]
> [https://repo1.maven.org/maven2/org/apache/tika/tika-parent/3.2.3/tika-parent-3.2.3.pom]
> one can verify this locally by running:
> {code:java}
> ./mvnw help:effective-pom -Dartifact=org.apache.tika:tika-bom:3.2.3
> -Doutput=tika-bom.txt{code}
> and compare it to like:
> {code:java}
> ./mvnw help:effective-pom -Dartifact=org.slf4j:slf4j-bom:2.0.17
> -Doutput=slf4j-bom.txt{code}
> where only slf4j artifacts are in the {{dependencyManagement}} section of the
> effective pom.
> see also [https://jlbp.dev/JLBP-15] which states:
> ??Unlike the module POMs of a Maven project, the BOM does not inherit from
> the parent POM that’s used for building other modules of the library. The
> reason is that a parent will have direct (and possibly transitive)
> dependencies in its {{<dependencyManagement>}} section to ensure that its
> build is consistent, but these dependency versions shouldn’t be imported by
> consumers who import the BOM.??
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
