[
https://issues.apache.org/jira/browse/MNG-8132?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lenny Primak updated MNG-8132:
------------------------------
Description:
Continuation of https://issues.apache.org/jira/browse/MNG-8118
When importing BOM and introducing exclusions, they overwrite exclusions
already present in the BOM. They should not
Slack conversation link:
[https://the-asf.slack.com/archives/C7Q9JB404/p1714938396499939]
Regressed by https://issues.apache.org/jira/browse/MNG-5600
Reproducer project: [https://github.com/flowlogix/bom-exclusions-mvn4]
Offending / reproducing key lines of pom:
{code:java}
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-bom</artifactId>
<version>2.0.0</version>
<type>pom</type>
<scope>import</scope>
<exclusions>
<!-- **** Inserting below exclusion triggers the failure-->
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</dependencyManagement> {code}
Expected result (maven 3.9.7) only one shiro-core.jar dependency with _jakarta_
classifier is present:
{code:java}
lprimak@Lennys-MacBook-Pro bom-exclusions-mvn4 % mvn -V dependency:tree
Apache Maven 3.9.7 (8b094c9513efc1b9ce2d952b3b9c8eaedaf8cbf0)
Maven home: /Users/lprimak/.sdkman/candidates/maven/3.9.7
Java version: 22.0.1, vendor: Azul Systems, Inc., runtime:
/Users/lprimak/.sdkman/candidates/java/22.0.1.fx-zulu/zulu-22.jdk/Contents/Home
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "12.7.5", arch: "x86_64", family: "mac"
[INFO] Scanning for projects...
[INFO]
[INFO] -----------< com.flowlogix.repdoducers:bom-exclusions-mvn4 >-----------
[INFO] Building bom-exclusions-mvn4 1.x-SNAPSHOT
[INFO] from pom.xml
[INFO] --------------------------------[ pom ]--------------------------------
[INFO]
[INFO] --- dependency:3.6.1:tree (default-cli) @ bom-exclusions-mvn4 ---
[INFO] com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:1.x-SNAPSHOT
[INFO] +- org.apache.shiro:shiro-web:jar:jakarta:2.0.0:compile
[INFO] | \- org.owasp.encoder:encoder:jar:1.2.3:compile
[INFO] \- org.apache.shiro:shiro-core:jar:jakarta:2.0.0:compile
..... cut unnecessary lines
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.630 s
[INFO] Finished at: 2024-05-28T22:44:57-04:00
[INFO] -----------------------------------------------------------------------
{code}
Current result (maven 4.0.0-alpha-3): both shiro-core with and without jakarta
classifier exist:
{code:java}
lprimak@Lennys-MacBook-Pro bom-exclusions-mvn4 % mvn -V dependency:tree
Apache Maven 4.0.0-beta-3 (e92f645c2749eb2a4f5a8843cf01e7441e4b559f)
Maven home: /Users/lprimak/.sdkman/candidates/maven/4.0.0-beta-3
Java version: 22.0.1, vendor: Azul Systems, Inc., runtime:
/Users/lprimak/.sdkman/candidates/java/22.0.1.fx-zulu/zulu-22.jdk/Contents/Home
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "12.7.5", arch: "x86_64", family: "mac"
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------<
com.flowlogix.repdoducers:bom-exclusions-mvn4
>------------------------------------
[INFO] Building bom-exclusions-mvn4 1.x-SNAPSHOT
[INFO] from pom.xml
[INFO] ---------------------------------------------------------[ pom
]---------------------------------------------------------
[INFO]
[INFO] --- dependency:3.6.1:tree (default-cli) @ bom-exclusions-mvn4 ---
[INFO] com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:1.x-SNAPSHOT
[INFO] +- org.apache.shiro:shiro-web:jar:jakarta:2.0.0:compile
*** below should not exist - non-jakarta classifier
[INFO] | +- org.apache.shiro:shiro-core:jar:2.0.0:compile
[INFO] | \- org.owasp.encoder:encoder:jar:1.2.3:compile
*** below is the correct reference to shiro-core
[INFO] \- org.apache.shiro:shiro-core:jar:jakarta:2.0.0:compile
..... cut unnecessary lines
[INFO] Copying com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:1.x-SNAPSHOT
to project local repository
[INFO] Copying
com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:consumer:1.x-SNAPSHOT to
project local repository
[INFO]
-------------------------------------------------------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO]
-------------------------------------------------------------------------------------------------------------------------
[INFO] Total time: 2.589 s
[INFO] Finished at: 2024-05-28T22:49:26-04:00
[INFO]
-------------------------------------------------------------------------------------------------------------------------
{code}
was:
Continuation of https://issues.apache.org/jira/browse/MNG-8118
When importing BOM and introducing exclusions, they overwrite exclusions
already present in the BOM. They should not
Slack conversation link:
[https://the-asf.slack.com/archives/C7Q9JB404/p1714938396499939]
Regressed by https://issues.apache.org/jira/browse/MNG-5600
Reproducer project: [https://github.com/flowlogix/bom-exclusions-mvn4]
Offending / reproducing key lines of pom:
{code:java}
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-bom</artifactId>
<version>2.0.0</version>
<type>pom</type>
<scope>import</scope>
<exclusions>
<!-- **** Inserting below exclusion triggers the failure-->
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</dependencyManagement> {code}
Expected result (maven 3.9.7) only one shiro-core.jar dependency with _jakarta_
classifier is present:
{code:java}
lprimak@Lennys-MacBook-Pro bom-exclusions-mvn4 % mvn -V dependency:tree
Apache Maven 3.9.7 (8b094c9513efc1b9ce2d952b3b9c8eaedaf8cbf0)
Maven home: /Users/lprimak/.sdkman/candidates/maven/3.9.7
Java version: 22.0.1, vendor: Azul Systems, Inc., runtime:
/Users/lprimak/.sdkman/candidates/java/22.0.1.fx-zulu/zulu-22.jdk/Contents/Home
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "12.7.5", arch: "x86_64", family: "mac"
[INFO] Scanning for projects...
[INFO]
[INFO] -----------< com.flowlogix.repdoducers:bom-exclusions-mvn4 >-----------
[INFO] Building bom-exclusions-mvn4 1.x-SNAPSHOT
[INFO] from pom.xml
[INFO] --------------------------------[ pom ]--------------------------------
[INFO]
[INFO] --- dependency:3.6.1:tree (default-cli) @ bom-exclusions-mvn4 ---
[INFO] com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:1.x-SNAPSHOT
[INFO] +- org.apache.shiro:shiro-web:jar:jakarta:2.0.0:compile
[INFO] | \- org.owasp.encoder:encoder:jar:1.2.3:compile
[INFO] \- org.apache.shiro:shiro-core:jar:jakarta:2.0.0:compile
..... cut unnecessary lines
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.630 s
[INFO] Finished at: 2024-05-28T22:44:57-04:00
[INFO] -----------------------------------------------------------------------
{code}
Current result (maven 4.0.0-alpha-3): both shiro-core with and without jakarta
classifier exist:
{code:java}
lprimak@Lennys-MacBook-Pro bom-exclusions-mvn4 % mvn -V dependency:tree
Apache Maven 4.0.0-beta-3 (e92f645c2749eb2a4f5a8843cf01e7441e4b559f)
Maven home: /Users/lprimak/.sdkman/candidates/maven/4.0.0-beta-3
Java version: 22.0.1, vendor: Azul Systems, Inc., runtime:
/Users/lprimak/.sdkman/candidates/java/22.0.1.fx-zulu/zulu-22.jdk/Contents/Home
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "12.7.5", arch: "x86_64", family: "mac"
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------<
com.flowlogix.repdoducers:bom-exclusions-mvn4
>------------------------------------
[INFO] Building bom-exclusions-mvn4 1.x-SNAPSHOT
[INFO] from pom.xml
[INFO] ---------------------------------------------------------[ pom
]---------------------------------------------------------
[INFO]
[INFO] --- dependency:3.6.1:tree (default-cli) @ bom-exclusions-mvn4 ---
[INFO] com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:1.x-SNAPSHOT
[INFO] +- org.apache.shiro:shiro-web:jar:jakarta:2.0.0:compile
*** should not exist - non-jakarta classifier [INFO] | +-
org.apache.shiro:shiro-core:jar:2.0.0:compile
[INFO] | \- org.owasp.encoder:encoder:jar:1.2.3:compile
*** this is the correct reference [INFO] \-
org.apache.shiro:shiro-core:jar:jakarta:2.0.0:compile
..... cut unnecessary lines
[INFO] Copying com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:1.x-SNAPSHOT
to project local repository
[INFO] Copying
com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:consumer:1.x-SNAPSHOT to
project local repository
[INFO]
-------------------------------------------------------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO]
-------------------------------------------------------------------------------------------------------------------------
[INFO] Total time: 2.589 s
[INFO] Finished at: 2024-05-28T22:49:26-04:00
[INFO]
-------------------------------------------------------------------------------------------------------------------------
{code}
> Dependency-management "client" exclusions overwrite BOM exclusions
> ------------------------------------------------------------------
>
> Key: MNG-8132
> URL: https://issues.apache.org/jira/browse/MNG-8132
> Project: Maven
> Issue Type: Bug
> Components: Bootstrap & Build
> Affects Versions: 4.0.0-alpha-13, 4.0.0-beta-3
> Environment: Any
> Reporter: Lenny Primak
> Priority: Major
>
> Continuation of https://issues.apache.org/jira/browse/MNG-8118
> When importing BOM and introducing exclusions, they overwrite exclusions
> already present in the BOM. They should not
> Slack conversation link:
> [https://the-asf.slack.com/archives/C7Q9JB404/p1714938396499939]
> Regressed by https://issues.apache.org/jira/browse/MNG-5600
> Reproducer project: [https://github.com/flowlogix/bom-exclusions-mvn4]
> Offending / reproducing key lines of pom:
> {code:java}
> <dependencyManagement>
> <dependencies>
> <dependency>
> <groupId>org.apache.shiro</groupId>
> <artifactId>shiro-bom</artifactId>
> <version>2.0.0</version>
> <type>pom</type>
> <scope>import</scope>
> <exclusions>
> <!-- **** Inserting below exclusion triggers the failure-->
> <exclusion>
> <groupId>org.slf4j</groupId>
> <artifactId>*</artifactId>
> </exclusion>
> </exclusions>
> </dependency>
> </dependencies>
> </dependencyManagement> {code}
> Expected result (maven 3.9.7) only one shiro-core.jar dependency with
> _jakarta_ classifier is present:
> {code:java}
> lprimak@Lennys-MacBook-Pro bom-exclusions-mvn4 % mvn -V dependency:tree
> Apache Maven 3.9.7 (8b094c9513efc1b9ce2d952b3b9c8eaedaf8cbf0)
> Maven home: /Users/lprimak/.sdkman/candidates/maven/3.9.7
> Java version: 22.0.1, vendor: Azul Systems, Inc., runtime:
> /Users/lprimak/.sdkman/candidates/java/22.0.1.fx-zulu/zulu-22.jdk/Contents/Home
> Default locale: en_US, platform encoding: UTF-8
> OS name: "mac os x", version: "12.7.5", arch: "x86_64", family: "mac"
> [INFO] Scanning for projects...
> [INFO]
> [INFO] -----------< com.flowlogix.repdoducers:bom-exclusions-mvn4 >-----------
> [INFO] Building bom-exclusions-mvn4 1.x-SNAPSHOT
> [INFO] from pom.xml
> [INFO] --------------------------------[ pom ]--------------------------------
> [INFO]
> [INFO] --- dependency:3.6.1:tree (default-cli) @ bom-exclusions-mvn4 ---
> [INFO] com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:1.x-SNAPSHOT
> [INFO] +- org.apache.shiro:shiro-web:jar:jakarta:2.0.0:compile
> [INFO] | \- org.owasp.encoder:encoder:jar:1.2.3:compile
> [INFO] \- org.apache.shiro:shiro-core:jar:jakarta:2.0.0:compile
> ..... cut unnecessary lines
> [INFO]
> ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Total time: 1.630 s
> [INFO] Finished at: 2024-05-28T22:44:57-04:00
> [INFO]
> ----------------------------------------------------------------------- {code}
>
> Current result (maven 4.0.0-alpha-3): both shiro-core with and without
> jakarta classifier exist:
> {code:java}
> lprimak@Lennys-MacBook-Pro bom-exclusions-mvn4 % mvn -V dependency:tree
> Apache Maven 4.0.0-beta-3 (e92f645c2749eb2a4f5a8843cf01e7441e4b559f)
> Maven home: /Users/lprimak/.sdkman/candidates/maven/4.0.0-beta-3
> Java version: 22.0.1, vendor: Azul Systems, Inc., runtime:
> /Users/lprimak/.sdkman/candidates/java/22.0.1.fx-zulu/zulu-22.jdk/Contents/Home
> Default locale: en_US, platform encoding: UTF-8
> OS name: "mac os x", version: "12.7.5", arch: "x86_64", family: "mac"
> [INFO] Scanning for projects...
> [INFO]
> [INFO] ------------------------------------<
> com.flowlogix.repdoducers:bom-exclusions-mvn4
> >------------------------------------
> [INFO] Building bom-exclusions-mvn4 1.x-SNAPSHOT
> [INFO] from pom.xml
> [INFO] ---------------------------------------------------------[ pom
> ]---------------------------------------------------------
> [INFO]
> [INFO] --- dependency:3.6.1:tree (default-cli) @ bom-exclusions-mvn4 ---
> [INFO] com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:1.x-SNAPSHOT
> [INFO] +- org.apache.shiro:shiro-web:jar:jakarta:2.0.0:compile
> *** below should not exist - non-jakarta classifier
> [INFO] | +- org.apache.shiro:shiro-core:jar:2.0.0:compile
> [INFO] | \- org.owasp.encoder:encoder:jar:1.2.3:compile
> *** below is the correct reference to shiro-core
> [INFO] \- org.apache.shiro:shiro-core:jar:jakarta:2.0.0:compile
> ..... cut unnecessary lines
> [INFO] Copying com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:1.x-SNAPSHOT
> to project local repository
> [INFO] Copying
> com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:consumer:1.x-SNAPSHOT to
> project local repository
> [INFO]
> -------------------------------------------------------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO]
> -------------------------------------------------------------------------------------------------------------------------
> [INFO] Total time: 2.589 s
> [INFO] Finished at: 2024-05-28T22:49:26-04:00
> [INFO]
> -------------------------------------------------------------------------------------------------------------------------
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
