Lenny Primak created MNG-8132: --------------------------------- Summary: Dependency-management "client" exclusions overwrite BOM exclusions Key: MNG-8132 URL: https://issues.apache.org/jira/browse/MNG-8132 Project: Maven Issue Type: Bug Components: Bootstrap & Build Affects Versions: 4.0.0-beta-3, 4.0.0-alpha-13 Environment: Any Reporter: Lenny Primak
Continuation of https://issues.apache.org/jira/browse/MNG-8118 When importing BOM and introducing exclusions, they overwrite exclusions already present in the BOM. They should not Slack conversation link: [https://the-asf.slack.com/archives/C7Q9JB404/p1714938396499939] Regressed by https://issues.apache.org/jira/browse/MNG-5600 Reproducer project: [https://github.com/flowlogix/bom-exclusions-mvn4] Offending / reproducing key lines of pom: {code:java} <dependencyManagement> <dependencies> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-bom</artifactId> <version>2.0.0</version> <type>pom</type> <scope>import</scope> <exclusions> <!-- **** Inserting below exclusion triggers the failure--> <exclusion> <groupId>org.slf4j</groupId> <artifactId>*</artifactId> </exclusion> </exclusions> </dependency> </dependencies> </dependencyManagement> {code} Expected result (maven 3.9.7) only one shiro-core.jar dependency with _jakarta_ classifier is present: {code:java} lprimak@Lennys-MacBook-Pro bom-exclusions-mvn4 % mvn -V dependency:tree Apache Maven 3.9.7 (8b094c9513efc1b9ce2d952b3b9c8eaedaf8cbf0) Maven home: /Users/lprimak/.sdkman/candidates/maven/3.9.7 Java version: 22.0.1, vendor: Azul Systems, Inc., runtime: /Users/lprimak/.sdkman/candidates/java/22.0.1.fx-zulu/zulu-22.jdk/Contents/Home Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "12.7.5", arch: "x86_64", family: "mac" [INFO] Scanning for projects... [INFO] [INFO] -----------< com.flowlogix.repdoducers:bom-exclusions-mvn4 >----------- [INFO] Building bom-exclusions-mvn4 1.x-SNAPSHOT [INFO] from pom.xml [INFO] --------------------------------[ pom ]-------------------------------- [INFO] [INFO] --- dependency:3.6.1:tree (default-cli) @ bom-exclusions-mvn4 --- [INFO] com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:1.x-SNAPSHOT [INFO] +- org.apache.shiro:shiro-web:jar:jakarta:2.0.0:compile [INFO] | \- org.owasp.encoder:encoder:jar:1.2.3:compile [INFO] \- org.apache.shiro:shiro-core:jar:jakarta:2.0.0:compile ..... cut unnecessary lines [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 1.630 s [INFO] Finished at: 2024-05-28T22:44:57-04:00 [INFO] ----------------------------------------------------------------------- {code} Current result (maven 4.0.0-alpha-3): both shiro-core with and without jakarta classifier exist: {code:java} lprimak@Lennys-MacBook-Pro bom-exclusions-mvn4 % mvn -V dependency:tree Apache Maven 4.0.0-beta-3 (e92f645c2749eb2a4f5a8843cf01e7441e4b559f) Maven home: /Users/lprimak/.sdkman/candidates/maven/4.0.0-beta-3 Java version: 22.0.1, vendor: Azul Systems, Inc., runtime: /Users/lprimak/.sdkman/candidates/java/22.0.1.fx-zulu/zulu-22.jdk/Contents/Home Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "12.7.5", arch: "x86_64", family: "mac" [INFO] Scanning for projects... [INFO] [INFO] ------------------------------------< com.flowlogix.repdoducers:bom-exclusions-mvn4 >------------------------------------ [INFO] Building bom-exclusions-mvn4 1.x-SNAPSHOT [INFO] from pom.xml [INFO] ---------------------------------------------------------[ pom ]--------------------------------------------------------- [INFO] [INFO] --- dependency:3.6.1:tree (default-cli) @ bom-exclusions-mvn4 --- [INFO] com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:1.x-SNAPSHOT [INFO] +- org.apache.shiro:shiro-web:jar:jakarta:2.0.0:compile *** should not exist - non-jakarta classifier [INFO] | +- org.apache.shiro:shiro-core:jar:2.0.0:compile [INFO] | \- org.owasp.encoder:encoder:jar:1.2.3:compile *** this is the correct reference [INFO] \- org.apache.shiro:shiro-core:jar:jakarta:2.0.0:compile ..... cut unnecessary lines [INFO] Copying com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:1.x-SNAPSHOT to project local repository [INFO] Copying com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:consumer:1.x-SNAPSHOT to project local repository [INFO] ------------------------------------------------------------------------------------------------------------------------- [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------------------------------------------------------- [INFO] Total time: 2.589 s [INFO] Finished at: 2024-05-28T22:49:26-04:00 [INFO] ------------------------------------------------------------------------------------------------------------------------- {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)