[
https://issues.apache.org/jira/browse/MENFORCER-316?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Scholte closed MENFORCER-316.
------------------------------------
Assignee: Robert Scholte
Resolution: Not A Bug
If you specify a version in dependency management, that will version being
used. You defined 2.5.3 as the managed version, which is indeed the upperbound
of all org.checkerframework:checker-compat-qual dependencies. This is actually
the preferred way to solve issues found by the requireUpperBounds rule.
If you lower the managed version to 2.0.0 the enforcer-rule will break, because
core prefers to have 2.5.3, which is below 2.0.0.
> requireUpperBoundDeps sometimes still ineffective when dependencyManagement
> is used
> -----------------------------------------------------------------------------------
>
> Key: MENFORCER-316
> URL: https://issues.apache.org/jira/browse/MENFORCER-316
> Project: Maven Enforcer Plugin
> Issue Type: Bug
> Affects Versions: 3.0.0-M2
> Reporter: Chris Povirk
> Assignee: Robert Scholte
> Priority: Major
> Attachments: menforcerbug.tar
>
>
> This sounds similar to
> [MENFORCER-146|https://issues.apache.org/jira/browse/MENFORCER-146], but that
> was fixed long ago.
> Attached is a multi-module project whose:
> * `core` module depends on checker-compat-qual 2.5.3
> * `core` module depends on guava 25.1-android, which
> [depends|https://repo1.maven.org/maven2/com/google/guava/guava/25.1-android/guava-25.1-android.pom]
>
> [on|https://repo1.maven.org/maven2/com/google/guava/guava-parent/25.1-android/guava-parent-25.1-android.pom]
> checker-compat-qual 2.0.0
> * `extension` module depends on the `core` module and checker-compat-qual
> 2.1.0
> That's 3 different versions of checker-compat-qual in the dependency graph of
> `extension`. As expected, `extension` chooses the nearest version, 2.1.0:
> {noformat}
> $ rm -rf ~/.m2/repository/com/google/menforcer/ &&
> /tmp/tmp.Q0KJ1iotaP/apache-maven-3.5.4/bin/mvn clean install
> dependency:build-classpath | perl -ne 'print if /Building extension/ ... 0' |
> grep -o 'checker-compat-qual-[^:]*'
> checker-compat-qual-2.1.0.jar
> {noformat}
> This is not the newest version, though, so I would expect the configured
> `requireUpperBoundDeps` check to fail. Yet it succeeds, unable to detect the
> problem.
> Interestingly, it is able to detect the problem if I remove the
> dependencyManagement section from the parent pom.
> Also interestingly, it is also able to detect the problem if I update the
> guava dependency to version 26.0-android, which [depends
> on|https://repo1.maven.org/maven2/com/google/guava/guava-parent/26.0-android/guava-parent-26.0-android.pom]
> checker-compat-qual 2.5.3.
> So it seems like the enforcer is confused by a combination of (a) a
> dependencyManagement section and (b) a transitive dependency on an even older
> version of the non-upper-bounded library.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
