[
https://issues.apache.org/jira/browse/MRESOLVER-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17824066#comment-17824066
]
Tamas Cservenak commented on MRESOLVER-503:
-------------------------------------------
Yes, problem is that msal4j uses a dependency, that uses a range. And moreover,
that range is INCOMPATIBLE with his own choice of dependency.
Many think "closer will override further" that is in general true, and that
would happen if "oauth2-oidc-sdk" would not use range.
In case of ranges, things get different.
And finally, all this is addressed in Maven4, that got "transitive depMgr". In
Maven3, even if msal4j dependency's POM would have depMgmt entry, IT IS
IGNORED. In Maven4 is not.
Basically, today with Maven3 it is the job of consumer of msal4j to ensure "all
is aligned", and he can sort it out by adding direct dependencies (to same
level of msal4j), or depMgmt etc.
> Differences between results of dependency:tree and direct resolver API calls
> ----------------------------------------------------------------------------
>
> Key: MRESOLVER-503
> URL: https://issues.apache.org/jira/browse/MRESOLVER-503
> Project: Maven Resolver
> Issue Type: Bug
> Components: Resolver
> Reporter: Alexey Loubyansky
> Priority: Major
>
> I noticed a difference in dependency trees produced by dependency:tree and
> what seems to be an equivalent invocation of the resolver using its API.
> It can be reproduced by applying the following change to the maven-resolver
> demo class
> [https://github.com/apache/maven-resolver/compare/master...aloubyansky:maven-resolver:dep-tree-diff?expand=1]
> Running that results in
> {code:java}
> com.microsoft.azure:msal4j:jar:1.13.1.redhat-00001
> +- com.nimbusds:oauth2-oidc-sdk:jar:9.35 [compile]
> | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1 [compile]
> | +- com.nimbusds:content-type:jar:2.2 [compile]
> | +- net.minidev:json-smart:jar:2.4.8 [compile]
> | +- com.nimbusds:lang-tag:jar:1.6 [compile]
> | \- com.nimbusds:nimbus-jose-jwt:jar:9.22 [compile]
> +- org.slf4j:slf4j-api:jar:1.7.36.redhat-00002 [compile]
> \- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.1 [compile] {code}
> Notice the position of json-smart in the tree - it's a dependency of
> oauth2-oidc-sdk in this case.
> Now
> {code:java}
> cd ~/.m2/repository/com/microsoft/azure/msal4j/1.13.1.redhat-00001{code}
> {code:java}
> mvn dependency:tree -f msal4j-1.13.1.redhat-00001.pom -Dscope=compile
> {code}
> The output is
> {code:java}
> [INFO] com.microsoft.azure:msal4j:jar:1.13.1.redhat-00001
> [INFO] +- com.nimbusds:oauth2-oidc-sdk:jar:9.35:compile
> [INFO] | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
> [INFO] | +- com.nimbusds:content-type:jar:2.2:compile
> [INFO] | +- com.nimbusds:lang-tag:jar:1.6:compile
> [INFO] | \- com.nimbusds:nimbus-jose-jwt:jar:9.22:compile
> [INFO] +- net.minidev:json-smart:jar:2.4.8:compile
> [INFO] | \- net.minidev:accessors-smart:jar:2.4.8:compile
> [INFO] | \- org.ow2.asm:asm:jar:9.1:compile
> [INFO] +- org.slf4j:slf4j-api:jar:1.7.36.redhat-00002:compile
> [INFO] +- org.projectlombok:lombok:jar:1.18.6:provided
> [INFO] \- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.1:compile
> [INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.2:compile
> [INFO] \- com.fasterxml.jackson.core:jackson-core:jar:2.13.2:compile {code}
> In this case json-smart is shown as a direct dependency of msal4j, which it
> is in its POM.
> Following the preference of the nearest to the root, dependency:tree seems to
> be correct, isn't it?
> In any case, I'd expect the same result (for compile scope) dependencies out
> of of both approaches. Thanks.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
