[
https://issues.apache.org/jira/browse/TIKA-4534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18034151#comment-18034151
]
Tim Allison commented on TIKA-4534:
-----------------------------------
Uncharacteristically, I opened that against our 3x branch. When we get a clean
build, I'll merge that into branch_3x, and you should get a snapshot build to
test with in a few hours. If that fixes this issue, I'll cherry-pick into main.
Thank you, again.
> tika-bom is managing versions of non-tika artifacts
> ---------------------------------------------------
>
> Key: TIKA-4534
> URL: https://issues.apache.org/jira/browse/TIKA-4534
> Project: Tika
> Issue Type: Bug
> Components: packaging
> Affects Versions: 3.2.3
> Reporter: Christopher Lambert
> Priority: Major
>
> in a private multi module maven project i wanted to manage versions of tika
> artifacts by importing the {{tika-bom}} of 3.2.3 in the parent pom.xml:
> {code:java}
> <dependencyManagement>
> <dependencies>
> (...)
> <dependency>
> <groupId>org.apache.tika</groupId>
> <artifactId>tika-bom</artifactId>
> <version>3.2.3</version>
> <type>pom</type>
> <scope>import</scope>
> </dependency>
> </dependencies>
> </dependencyManagement>{code}
> but suddenly modules that are not using tika at all no longer compiled.
> looking at the dependency tree of those modules, it seems like many
> dependency versions suddenly got upgraded unintentionally:
> {code:java}
> < [INFO] | +- jakarta.ws.rs:jakarta.ws.rs-api:jar:2.1.6:compile
> ---
> > [INFO] | +- jakarta.ws.rs:jakarta.ws.rs-api:jar:3.1.0:compile
> 42c47
> < [INFO] | \- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
> ---
> > [INFO] | \- jakarta.xml.bind:jakarta.xml.bind-api:jar:4.0.2:compile
> 96c101
> < [INFO] | +- commons-fileupload:commons-fileupload:jar:1.4:test
> ---
> > [INFO] | +- commons-fileupload:commons-fileupload:jar:1.6.0:test {code}
> the problem is that the published {{tika-bom}} is referencing {{tika-parent}}
> where many other artifacts versions are enforced in the
> {{dependencyManagement}} section:
> [https://repo1.maven.org/maven2/org/apache/tika/tika-bom/3.2.3/tika-bom-3.2.3.pom]
> [https://repo1.maven.org/maven2/org/apache/tika/tika-parent/3.2.3/tika-parent-3.2.3.pom]
> one can verify this locally by running:
> {code:java}
> ./mvnw help:effective-pom -Dartifact=org.apache.tika:tika-bom:3.2.3
> -Doutput=tika-bom.txt{code}
> and compare it to like:
> {code:java}
> ./mvnw help:effective-pom -Dartifact=org.slf4j:slf4j-bom:2.0.17
> -Doutput=slf4j-bom.txt{code}
> where only slf4j artifacts are in the {{dependencyManagement}} section of the
> effective pom.
> see also [https://jlbp.dev/JLBP-15] which states:
> ??Unlike the module POMs of a Maven project, the BOM does not inherit from
> the parent POM that’s used for building other modules of the library. The
> reason is that a parent will have direct (and possibly transitive)
> dependencies in its {{<dependencyManagement>}} section to ensure that its
> build is consistent, but these dependency versions shouldn’t be imported by
> consumers who import the BOM.??
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
