[jira] [Assigned] (MNG-5622) Provided dependencies updated to 'compile' even when excluded

[Sylwester Lachiewicz (Jira)]

     [ 
https://issues.apache.org/jira/browse/MNG-5622?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sylwester Lachiewicz reassigned MNG-5622:
-----------------------------------------

    Assignee:     (was: Jason van Zyl)

> Provided dependencies updated to 'compile' even when excluded
> -------------------------------------------------------------
>
>                 Key: MNG-5622
>                 URL: https://issues.apache.org/jira/browse/MNG-5622
>             Project: Maven
>          Issue Type: Bug
>          Components: Dependencies
>    Affects Versions: 3.0.5, 3.2.1
>            Reporter: Cintia DR
>            Priority: Minor
>              Labels: needs-attention
>         Attachments: dependencies-maven.tar.gz
>
>
> I have a project A with the following dependency:
> {code}
>  <dependency>
>         <groupId>dom4j</groupId>
>         <artifactId>dom4j</artifactId>
>         <version>1.6.1</version>
>     </dependency>
> {code}
> _dom4j_ has a compile dependency _xml-api_. 
> In the project B, I use project A as a provided dependency. And it has 
> another dependency:
> {code}
> <!-- dom4j is a dependency of poi-ooxml -->
>       <dependency>
>         <groupId>org.apache.poi</groupId>
>         <artifactId>poi-ooxml</artifactId>
>         <version>3.9</version>
>         <exclusions>
>           <exclusion>
>             <groupId>xml-apis</groupId>
>             <artifactId>xml-apis</artifactId>
>           </exclusion>
>         </exclusions> 
>       </dependency>
> {code}
> So, what happens is maven 3.2.1 adds xml-api as a compile dependency 
> regardless if you exclude it from poi-ooxml. 
> As far as I understood, maven is getting project A dependencies, and finds a 
> _dom4j_. It was initially supposed to be 
> [provided|http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope],
>  but the compile dependency _poi-ooxml_ has _dom4j_ as a transitive compile 
> dependency - so maven correctly updates _dom4j_ scope to compile.
> The problem is, because it's adding _dom4j_ to compile scope, it decides to 
> upgrade _xml-api_ to a compile dependency, *even if we excluded it* in the 
> first place. 
> The obvious workaround is to exclude _dom4j_ from _poi-ooxml_.  
> I'm not sure if this is the expected behaviour, or just a corner case. I 
> couldn't find any valid documentation about that case. 
> This is a possible duplicate of MNG-5404, but it looks slightly different. I 
> wonder if they have the same root cause. 
> To run the test attached, "mvn package dependency:tree" will do it. 
> dependency:2.8:tree is showing the same resolution tree as maven itself. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)