[
https://issues.apache.org/jira/browse/MRESOLVER-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17824002#comment-17824002
]
Tamas Cservenak commented on MRESOLVER-503:
-------------------------------------------
Did not dig in yet, but one this have to be said in advance: am pretty
confident there is not much to be done here, and reason is that current
codebase of m-dependency-p (as "dependency:tree and direct resolver API calls")
is full if not completely legacy. It does not use Resolver APIs at all, but a
big-thick and complex layer of legacy libraries, that end up in maven-compat,
that in turn delegates calls to Resolver API.
So to say, assuming there is a bug (and why not? as I said, this layer is
thick) am not considering it "worthwhile to fix", as instead, all these layers
should be tossed into oblivion.
IMHO, the proper solution for this would be to introduce some new "m-dep-p"
that does not drag this history.
> Differences between results of dependency:tree and direct resolver API calls
> ----------------------------------------------------------------------------
>
> Key: MRESOLVER-503
> URL: https://issues.apache.org/jira/browse/MRESOLVER-503
> Project: Maven Resolver
> Issue Type: Bug
> Components: Resolver
> Reporter: Alexey Loubyansky
> Priority: Major
>
> I noticed a difference in dependency trees produced by dependency:tree and
> what seems to be an equivalent invocation of the resolver using its API.
> It can be reproduced by applying the following change to the maven-resolver
> demo class
> [https://github.com/apache/maven-resolver/compare/master...aloubyansky:maven-resolver:dep-tree-diff?expand=1]
> Running that results in
> {code:java}
> com.microsoft.azure:msal4j:jar:1.13.1.redhat-00001
> +- com.nimbusds:oauth2-oidc-sdk:jar:9.35 [compile]
> | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1 [compile]
> | +- com.nimbusds:content-type:jar:2.2 [compile]
> | +- net.minidev:json-smart:jar:2.4.8 [compile]
> | +- com.nimbusds:lang-tag:jar:1.6 [compile]
> | \- com.nimbusds:nimbus-jose-jwt:jar:9.22 [compile]
> +- org.slf4j:slf4j-api:jar:1.7.36.redhat-00002 [compile]
> \- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.1 [compile] {code}
> Notice the position of json-smart in the tree - it's a dependency of
> oauth2-oidc-sdk in this case.
> Now
> {code:java}
> cd ~/.m2/repository/com/microsoft/azure/msal4j/1.13.1.redhat-00001{code}
> {code:java}
> mvn dependency:tree -f msal4j-1.13.1.redhat-00001.pom -Dscope=compile
> {code}
> The output is
> {code:java}
> [INFO] com.microsoft.azure:msal4j:jar:1.13.1.redhat-00001
> [INFO] +- com.nimbusds:oauth2-oidc-sdk:jar:9.35:compile
> [INFO] | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
> [INFO] | +- com.nimbusds:content-type:jar:2.2:compile
> [INFO] | +- com.nimbusds:lang-tag:jar:1.6:compile
> [INFO] | \- com.nimbusds:nimbus-jose-jwt:jar:9.22:compile
> [INFO] +- net.minidev:json-smart:jar:2.4.8:compile
> [INFO] | \- net.minidev:accessors-smart:jar:2.4.8:compile
> [INFO] | \- org.ow2.asm:asm:jar:9.1:compile
> [INFO] +- org.slf4j:slf4j-api:jar:1.7.36.redhat-00002:compile
> [INFO] +- org.projectlombok:lombok:jar:1.18.6:provided
> [INFO] \- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.1:compile
> [INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.2:compile
> [INFO] \- com.fasterxml.jackson.core:jackson-core:jar:2.13.2:compile {code}
> In this case json-smart is shown as a direct dependency of msal4j, which it
> is in its POM.
> Following the preference of the nearest to the root, dependency:tree seems to
> be correct, isn't it?
> In any case, I'd expect the same result (for compile scope) dependencies out
> of of both approaches. Thanks.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
