[
https://issues.apache.org/jira/browse/MRESOLVER-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17824052#comment-17824052
]
Alexey Loubyansky commented on MRESOLVER-503:
---------------------------------------------
What this shows to me is thata developer of msal4j can't be sure the dependency
versions he/she configured in its POM are not guaranteed to be preserved when
msal4j is used in another project, even if it's the only dependency of that
project. Is that correct?
Is a dependencyManagement section or BOM the only way to guarantee dependency
versions?
> Differences between results of dependency:tree and direct resolver API calls
> ----------------------------------------------------------------------------
>
> Key: MRESOLVER-503
> URL: https://issues.apache.org/jira/browse/MRESOLVER-503
> Project: Maven Resolver
> Issue Type: Bug
> Components: Resolver
> Reporter: Alexey Loubyansky
> Priority: Major
>
> I noticed a difference in dependency trees produced by dependency:tree and
> what seems to be an equivalent invocation of the resolver using its API.
> It can be reproduced by applying the following change to the maven-resolver
> demo class
> [https://github.com/apache/maven-resolver/compare/master...aloubyansky:maven-resolver:dep-tree-diff?expand=1]
> Running that results in
> {code:java}
> com.microsoft.azure:msal4j:jar:1.13.1.redhat-00001
> +- com.nimbusds:oauth2-oidc-sdk:jar:9.35 [compile]
> | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1 [compile]
> | +- com.nimbusds:content-type:jar:2.2 [compile]
> | +- net.minidev:json-smart:jar:2.4.8 [compile]
> | +- com.nimbusds:lang-tag:jar:1.6 [compile]
> | \- com.nimbusds:nimbus-jose-jwt:jar:9.22 [compile]
> +- org.slf4j:slf4j-api:jar:1.7.36.redhat-00002 [compile]
> \- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.1 [compile] {code}
> Notice the position of json-smart in the tree - it's a dependency of
> oauth2-oidc-sdk in this case.
> Now
> {code:java}
> cd ~/.m2/repository/com/microsoft/azure/msal4j/1.13.1.redhat-00001{code}
> {code:java}
> mvn dependency:tree -f msal4j-1.13.1.redhat-00001.pom -Dscope=compile
> {code}
> The output is
> {code:java}
> [INFO] com.microsoft.azure:msal4j:jar:1.13.1.redhat-00001
> [INFO] +- com.nimbusds:oauth2-oidc-sdk:jar:9.35:compile
> [INFO] | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
> [INFO] | +- com.nimbusds:content-type:jar:2.2:compile
> [INFO] | +- com.nimbusds:lang-tag:jar:1.6:compile
> [INFO] | \- com.nimbusds:nimbus-jose-jwt:jar:9.22:compile
> [INFO] +- net.minidev:json-smart:jar:2.4.8:compile
> [INFO] | \- net.minidev:accessors-smart:jar:2.4.8:compile
> [INFO] | \- org.ow2.asm:asm:jar:9.1:compile
> [INFO] +- org.slf4j:slf4j-api:jar:1.7.36.redhat-00002:compile
> [INFO] +- org.projectlombok:lombok:jar:1.18.6:provided
> [INFO] \- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.1:compile
> [INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.2:compile
> [INFO] \- com.fasterxml.jackson.core:jackson-core:jar:2.13.2:compile {code}
> In this case json-smart is shown as a direct dependency of msal4j, which it
> is in its POM.
> Following the preference of the nearest to the root, dependency:tree seems to
> be correct, isn't it?
> In any case, I'd expect the same result (for compile scope) dependencies out
> of of both approaches. Thanks.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
