[
https://issues.apache.org/jira/browse/MRESOLVER-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17824084#comment-17824084
]
Tamas Cservenak commented on MRESOLVER-503:
-------------------------------------------
So, to showcase WHAT changed in maven4 (what is "transitive dep mgr") I had to
do locally some builds :smile: but it worked.
So, one thing: I _locally_ modified the msal4j local reposiory POM by adding
depMgt section above. Then, I crafted a graph where I "pushed" msal4j deeper
(as it would be "some dep on nth level".
This is what Maven 3.9 does:
{noformat}
[cstamas@angeleyes mima (maven4-resolver2 *%)]$ jbang mima@maveniverse -s
settings.xml
MIMA (Runtime 'standalone-static' version 2.4.8)
====
Maven version 3.9.6
Managed true
Basedir /home/cstamas/Worx/maveniverse/mima
Offline false
MAVEN_HOME /home/cstamas/.sdkman/candidates/maven/current
settings.xml
/home/cstamas/.sdkman/candidates/maven/current/conf/settings.xml
toolchains.xml
/home/cstamas/.sdkman/candidates/maven/current/conf/toolchains.xml
USER_HOME /home/cstamas/.m2
settings.xml settings.xml
settings-security.xml /home/cstamas/.m2/settings-security.xml
local repository /home/cstamas/Worx/maveniverse/mima/local
PROFILES
Active [oss-development]
Inactive []
REMOTE REPOSITORIES
central (https://repo.maven.apache.org/maven2/,
default, releases)
redhat (https://maven.repository.redhat.com/ga/,
default, releases)
prompt> graph cstamas:cstamas:1.0
cstamas:cstamas:jar:1.0
\- cstamas:cstamas2:jar:1.0 [compile]
\- cstamas:cstamas3:jar:1.0 [compile]
\- com.microsoft.azure:msal4j:jar:1.13.1.redhat-00001 [compile]
+- com.nimbusds:oauth2-oidc-sdk:jar:9.35 [compile]
| +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1 [compile]
| +- com.nimbusds:content-type:jar:2.2 [compile]
| +- net.minidev:json-smart:jar:1.3.3 [compile] (conflicts with 2.4.8)
| +- net.minidev:json-smart:jar:2.0-RC1 [compile] (conflicts with
2.4.8)
| +- net.minidev:json-smart:jar:2.0-RC2 [compile] (conflicts with
2.4.8)
| +- net.minidev:json-smart:jar:2.0-RC3 [compile] (conflicts with
2.4.8)
| +- net.minidev:json-smart:jar:2.0 [compile] (conflicts with 2.4.8)
| +- net.minidev:json-smart:jar:2.1.0 [compile] (conflicts with 2.4.8)
| +- net.minidev:json-smart:jar:2.1.1 [compile] (conflicts with 2.4.8)
| +- net.minidev:json-smart:jar:2.2 [compile] (conflicts with 2.4.8)
| +- net.minidev:json-smart:jar:2.2.1 [compile] (conflicts with 2.4.8)
| +- net.minidev:json-smart:jar:2.3 [compile] (conflicts with 2.4.8)
| +- net.minidev:json-smart:jar:2.3.0.redhat-00001 [compile]
(conflicts with 2.4.8)
| +- net.minidev:json-smart:jar:2.3.1 [compile] (conflicts with 2.4.8)
| +- net.minidev:json-smart:jar:2.4.1 [compile] (conflicts with 2.4.8)
| +- net.minidev:json-smart:jar:2.4.2 [compile] (conflicts with 2.4.8)
| +- net.minidev:json-smart:jar:2.4.4 [compile] (conflicts with 2.4.8)
| +- net.minidev:json-smart:jar:2.4.5 [compile] (conflicts with 2.4.8)
| +- net.minidev:json-smart:jar:2.4.6 [compile] (conflicts with 2.4.8)
| +- net.minidev:json-smart:jar:2.4.7 [compile] (conflicts with 2.4.8)
| +- net.minidev:json-smart:jar:2.4.7.redhat-00001 [compile]
(conflicts with 2.4.8)
| +- net.minidev:json-smart:jar:2.4.8 [compile]
| | \- net.minidev:accessors-smart:jar:2.4.8 [compile]
| | \- org.ow2.asm:asm:jar:9.1 [compile]
| +- com.nimbusds:lang-tag:jar:1.6 [compile]
| \- com.nimbusds:nimbus-jose-jwt:jar:9.22 [compile]
| \- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1 [compile]
(nearer exists)
+- net.minidev:json-smart:jar:2.4.8.redhat-00001 [compile] (conflicts
with 2.4.8)
+- org.slf4j:slf4j-api:jar:1.7.36.redhat-00002 [compile]
+- org.projectlombok:lombok:jar:1.18.6 [provided]
\- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.1 [compile]
+- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.2
[compile]
\- com.fasterxml.jackson.core:jackson-core:jar:2.13.2 [compile]
prompt> {noformat}
Basically same problem as w/o depMgt section. Maven Resolver 1.x IGNORES depMgt
from level 2 onward.
And this is what Maven4 does:
{noformat}
[cstamas@angeleyes mima (maven4-resolver2 *%)]$ java -jar
cli/target/cli-2.4.6-SNAPSHOT-uber.jar -s settings.xml
MIMA (Runtime 'standalone-static' version 2.4.6-SNAPSHOT)
====
Maven version 4.0.0-alpha-13-SNAPSHOT
Managed true
Basedir /home/cstamas/Worx/maveniverse/mima
Offline false
MAVEN_HOME /home/cstamas/.sdkman/candidates/maven/current
settings.xml
/home/cstamas/.sdkman/candidates/maven/current/conf/settings.xml
toolchains.xml
/home/cstamas/.sdkman/candidates/maven/current/conf/toolchains.xml
USER_HOME /home/cstamas/.m2
settings.xml settings.xml
settings-security.xml /home/cstamas/.m2/settings-security.xml
local repository /home/cstamas/Worx/maveniverse/mima/local
PROFILES
Active [oss-development]
Inactive []
REMOTE REPOSITORIES
central (https://repo.maven.apache.org/maven2/,
default, releases)
redhat (https://maven.repository.redhat.com/ga/,
default, releases)
prompt> graph cstamas:cstamas:1.0
cstamas:cstamas:jar:1.0
\- cstamas:cstamas2:jar:1.0 [compile]
\- cstamas:cstamas3:jar:1.0 [compile]
\- com.microsoft.azure:msal4j:jar:1.13.1.redhat-00001 [compile]
+- com.nimbusds:oauth2-oidc-sdk:jar:9.35 [compile]
| +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1 [compile]
| +- com.nimbusds:content-type:jar:2.2 [compile]
| +- net.minidev:json-smart:jar:2.4.8.redhat-00001 [compile] (version
managed from [1.3.3,2.4.8]) (nearer exists)
| +- com.nimbusds:lang-tag:jar:1.6 [compile]
| \- com.nimbusds:nimbus-jose-jwt:jar:9.22 [compile]
| \- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1 [compile]
(nearer exists)
+- net.minidev:json-smart:jar:2.4.8.redhat-00001 [compile]
| \- net.minidev:accessors-smart:jar:2.4.8.redhat-00001 [compile]
| \- org.ow2.asm:asm:jar:9.1 [compile]
+- org.slf4j:slf4j-api:jar:1.7.36.redhat-00002 [compile]
+- org.projectlombok:lombok:jar:1.18.6 [provided]
\- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.1 [compile]
+- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.2
[compile]
\- com.fasterxml.jackson.core:jackson-core:jar:2.13.2 [compile]
prompt> {noformat}
So, the depMgt REMAINS in effect, despite is on 3rd level (ignored by Maven 3).
> Differences between results of dependency:tree and direct resolver API calls
> ----------------------------------------------------------------------------
>
> Key: MRESOLVER-503
> URL: https://issues.apache.org/jira/browse/MRESOLVER-503
> Project: Maven Resolver
> Issue Type: Bug
> Components: Resolver
> Reporter: Alexey Loubyansky
> Priority: Major
>
> I noticed a difference in dependency trees produced by dependency:tree and
> what seems to be an equivalent invocation of the resolver using its API.
> It can be reproduced by applying the following change to the maven-resolver
> demo class
> [https://github.com/apache/maven-resolver/compare/master...aloubyansky:maven-resolver:dep-tree-diff?expand=1]
> Running that results in
> {code:java}
> com.microsoft.azure:msal4j:jar:1.13.1.redhat-00001
> +- com.nimbusds:oauth2-oidc-sdk:jar:9.35 [compile]
> | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1 [compile]
> | +- com.nimbusds:content-type:jar:2.2 [compile]
> | +- net.minidev:json-smart:jar:2.4.8 [compile]
> | +- com.nimbusds:lang-tag:jar:1.6 [compile]
> | \- com.nimbusds:nimbus-jose-jwt:jar:9.22 [compile]
> +- org.slf4j:slf4j-api:jar:1.7.36.redhat-00002 [compile]
> \- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.1 [compile] {code}
> Notice the position of json-smart in the tree - it's a dependency of
> oauth2-oidc-sdk in this case.
> Now
> {code:java}
> cd ~/.m2/repository/com/microsoft/azure/msal4j/1.13.1.redhat-00001{code}
> {code:java}
> mvn dependency:tree -f msal4j-1.13.1.redhat-00001.pom -Dscope=compile
> {code}
> The output is
> {code:java}
> [INFO] com.microsoft.azure:msal4j:jar:1.13.1.redhat-00001
> [INFO] +- com.nimbusds:oauth2-oidc-sdk:jar:9.35:compile
> [INFO] | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
> [INFO] | +- com.nimbusds:content-type:jar:2.2:compile
> [INFO] | +- com.nimbusds:lang-tag:jar:1.6:compile
> [INFO] | \- com.nimbusds:nimbus-jose-jwt:jar:9.22:compile
> [INFO] +- net.minidev:json-smart:jar:2.4.8:compile
> [INFO] | \- net.minidev:accessors-smart:jar:2.4.8:compile
> [INFO] | \- org.ow2.asm:asm:jar:9.1:compile
> [INFO] +- org.slf4j:slf4j-api:jar:1.7.36.redhat-00002:compile
> [INFO] +- org.projectlombok:lombok:jar:1.18.6:provided
> [INFO] \- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.1:compile
> [INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.2:compile
> [INFO] \- com.fasterxml.jackson.core:jackson-core:jar:2.13.2:compile {code}
> In this case json-smart is shown as a direct dependency of msal4j, which it
> is in its POM.
> Following the preference of the nearest to the root, dependency:tree seems to
> be correct, isn't it?
> In any case, I'd expect the same result (for compile scope) dependencies out
> of of both approaches. Thanks.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
