[ https://issues.apache.org/jira/browse/MRESOLVER-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17824084#comment-17824084 ]
Tamas Cservenak commented on MRESOLVER-503: ------------------------------------------- So, to showcase WHAT changed in maven4 (what is "transitive dep mgr") I had to do locally some builds :smile: but it worked. So, one thing: I _locally_ modified the msal4j local reposiory POM by adding depMgt section above. Then, I crafted a graph where I "pushed" msal4j deeper (as it would be "some dep on nth level". This is what Maven 3.9 does: {noformat} [cstamas@angeleyes mima (maven4-resolver2 *%)]$ jbang mima@maveniverse -s settings.xml MIMA (Runtime 'standalone-static' version 2.4.8) ==== Maven version 3.9.6 Managed true Basedir /home/cstamas/Worx/maveniverse/mima Offline false MAVEN_HOME /home/cstamas/.sdkman/candidates/maven/current settings.xml /home/cstamas/.sdkman/candidates/maven/current/conf/settings.xml toolchains.xml /home/cstamas/.sdkman/candidates/maven/current/conf/toolchains.xml USER_HOME /home/cstamas/.m2 settings.xml settings.xml settings-security.xml /home/cstamas/.m2/settings-security.xml local repository /home/cstamas/Worx/maveniverse/mima/local PROFILES Active [oss-development] Inactive [] REMOTE REPOSITORIES central (https://repo.maven.apache.org/maven2/, default, releases) redhat (https://maven.repository.redhat.com/ga/, default, releases) prompt> graph cstamas:cstamas:1.0 cstamas:cstamas:jar:1.0 \- cstamas:cstamas2:jar:1.0 [compile] \- cstamas:cstamas3:jar:1.0 [compile] \- com.microsoft.azure:msal4j:jar:1.13.1.redhat-00001 [compile] +- com.nimbusds:oauth2-oidc-sdk:jar:9.35 [compile] | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1 [compile] | +- com.nimbusds:content-type:jar:2.2 [compile] | +- net.minidev:json-smart:jar:1.3.3 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.0-RC1 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.0-RC2 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.0-RC3 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.0 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.1.0 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.1.1 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.2 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.2.1 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.3 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.3.0.redhat-00001 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.3.1 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.4.1 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.4.2 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.4.4 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.4.5 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.4.6 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.4.7 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.4.7.redhat-00001 [compile] (conflicts with 2.4.8) | +- net.minidev:json-smart:jar:2.4.8 [compile] | | \- net.minidev:accessors-smart:jar:2.4.8 [compile] | | \- org.ow2.asm:asm:jar:9.1 [compile] | +- com.nimbusds:lang-tag:jar:1.6 [compile] | \- com.nimbusds:nimbus-jose-jwt:jar:9.22 [compile] | \- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1 [compile] (nearer exists) +- net.minidev:json-smart:jar:2.4.8.redhat-00001 [compile] (conflicts with 2.4.8) +- org.slf4j:slf4j-api:jar:1.7.36.redhat-00002 [compile] +- org.projectlombok:lombok:jar:1.18.6 [provided] \- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.1 [compile] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.2 [compile] \- com.fasterxml.jackson.core:jackson-core:jar:2.13.2 [compile] prompt> {noformat} Basically same problem as w/o depMgt section. Maven Resolver 1.x IGNORES depMgt from level 2 onward. And this is what Maven4 does: {noformat} [cstamas@angeleyes mima (maven4-resolver2 *%)]$ java -jar cli/target/cli-2.4.6-SNAPSHOT-uber.jar -s settings.xml MIMA (Runtime 'standalone-static' version 2.4.6-SNAPSHOT) ==== Maven version 4.0.0-alpha-13-SNAPSHOT Managed true Basedir /home/cstamas/Worx/maveniverse/mima Offline false MAVEN_HOME /home/cstamas/.sdkman/candidates/maven/current settings.xml /home/cstamas/.sdkman/candidates/maven/current/conf/settings.xml toolchains.xml /home/cstamas/.sdkman/candidates/maven/current/conf/toolchains.xml USER_HOME /home/cstamas/.m2 settings.xml settings.xml settings-security.xml /home/cstamas/.m2/settings-security.xml local repository /home/cstamas/Worx/maveniverse/mima/local PROFILES Active [oss-development] Inactive [] REMOTE REPOSITORIES central (https://repo.maven.apache.org/maven2/, default, releases) redhat (https://maven.repository.redhat.com/ga/, default, releases) prompt> graph cstamas:cstamas:1.0 cstamas:cstamas:jar:1.0 \- cstamas:cstamas2:jar:1.0 [compile] \- cstamas:cstamas3:jar:1.0 [compile] \- com.microsoft.azure:msal4j:jar:1.13.1.redhat-00001 [compile] +- com.nimbusds:oauth2-oidc-sdk:jar:9.35 [compile] | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1 [compile] | +- com.nimbusds:content-type:jar:2.2 [compile] | +- net.minidev:json-smart:jar:2.4.8.redhat-00001 [compile] (version managed from [1.3.3,2.4.8]) (nearer exists) | +- com.nimbusds:lang-tag:jar:1.6 [compile] | \- com.nimbusds:nimbus-jose-jwt:jar:9.22 [compile] | \- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1 [compile] (nearer exists) +- net.minidev:json-smart:jar:2.4.8.redhat-00001 [compile] | \- net.minidev:accessors-smart:jar:2.4.8.redhat-00001 [compile] | \- org.ow2.asm:asm:jar:9.1 [compile] +- org.slf4j:slf4j-api:jar:1.7.36.redhat-00002 [compile] +- org.projectlombok:lombok:jar:1.18.6 [provided] \- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.1 [compile] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.2 [compile] \- com.fasterxml.jackson.core:jackson-core:jar:2.13.2 [compile] prompt> {noformat} So, the depMgt REMAINS in effect, despite is on 3rd level (ignored by Maven 3). > Differences between results of dependency:tree and direct resolver API calls > ---------------------------------------------------------------------------- > > Key: MRESOLVER-503 > URL: https://issues.apache.org/jira/browse/MRESOLVER-503 > Project: Maven Resolver > Issue Type: Bug > Components: Resolver > Reporter: Alexey Loubyansky > Priority: Major > > I noticed a difference in dependency trees produced by dependency:tree and > what seems to be an equivalent invocation of the resolver using its API. > It can be reproduced by applying the following change to the maven-resolver > demo class > [https://github.com/apache/maven-resolver/compare/master...aloubyansky:maven-resolver:dep-tree-diff?expand=1] > Running that results in > {code:java} > com.microsoft.azure:msal4j:jar:1.13.1.redhat-00001 > +- com.nimbusds:oauth2-oidc-sdk:jar:9.35 [compile] > | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1 [compile] > | +- com.nimbusds:content-type:jar:2.2 [compile] > | +- net.minidev:json-smart:jar:2.4.8 [compile] > | +- com.nimbusds:lang-tag:jar:1.6 [compile] > | \- com.nimbusds:nimbus-jose-jwt:jar:9.22 [compile] > +- org.slf4j:slf4j-api:jar:1.7.36.redhat-00002 [compile] > \- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.1 [compile] {code} > Notice the position of json-smart in the tree - it's a dependency of > oauth2-oidc-sdk in this case. > Now > {code:java} > cd ~/.m2/repository/com/microsoft/azure/msal4j/1.13.1.redhat-00001{code} > {code:java} > mvn dependency:tree -f msal4j-1.13.1.redhat-00001.pom -Dscope=compile > {code} > The output is > {code:java} > [INFO] com.microsoft.azure:msal4j:jar:1.13.1.redhat-00001 > [INFO] +- com.nimbusds:oauth2-oidc-sdk:jar:9.35:compile > [INFO] | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile > [INFO] | +- com.nimbusds:content-type:jar:2.2:compile > [INFO] | +- com.nimbusds:lang-tag:jar:1.6:compile > [INFO] | \- com.nimbusds:nimbus-jose-jwt:jar:9.22:compile > [INFO] +- net.minidev:json-smart:jar:2.4.8:compile > [INFO] | \- net.minidev:accessors-smart:jar:2.4.8:compile > [INFO] | \- org.ow2.asm:asm:jar:9.1:compile > [INFO] +- org.slf4j:slf4j-api:jar:1.7.36.redhat-00002:compile > [INFO] +- org.projectlombok:lombok:jar:1.18.6:provided > [INFO] \- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.1:compile > [INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.2:compile > [INFO] \- com.fasterxml.jackson.core:jackson-core:jar:2.13.2:compile {code} > In this case json-smart is shown as a direct dependency of msal4j, which it > is in its POM. > Following the preference of the nearest to the root, dependency:tree seems to > be correct, isn't it? > In any case, I'd expect the same result (for compile scope) dependencies out > of of both approaches. Thanks. -- This message was sent by Atlassian Jira (v8.20.10#820010)