[I] `analyze-exclusions` returns false positive `unnecessary excludes` [maven-dependency-plugin]

via GitHub Sat, 28 Mar 2026 16:42:42 -0700


JackPGreen opened a new issue, #1598:
URL: https://github.com/apache/maven-dependency-plugin/issues/1598


   ### Affected version
   
   3.10
   
   ### Bug description
   
   Take the following `pom.xml`:
   ```
   <project xmlns="http://maven.apache.org/POM/4.0.0"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
https://maven.apache.org/xsd/maven-4.0.0.xsd";>
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.example</groupId>
     <artifactId>reproducer</artifactId>
     <version>0.0.1-SNAPSHOT</version>
     <dependencyManagement>
     </dependencyManagement>
     <dependencies>
       <dependency>
         <groupId>org.apache.hadoop</groupId>
         <artifactId>hadoop-client</artifactId>
           <version>3.4.3</version>
         <exclusions>
           <exclusion>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-reload4j</artifactId>
           </exclusion>
         </exclusions>
       </dependency>
     </dependencies>
   </project>
   ```
   
   The output of `mvn dependency:3.10.0:analyze-exclusions 
dependency:3.10.0:tree` is:
   ```
   [INFO] --- dependency:3.10.0:analyze-exclusions (default-cli) @ reproducer 
---
   [WARNING] reproducer defines following unnecessary excludes
   [WARNING]     org.apache.hadoop:hadoop-client:3.4.3
   [WARNING]         - org.slf4j:slf4j-reload4j @ line: 14
   [INFO] 
   [INFO] --- dependency:3.10.0:tree (default-cli) @ reproducer ---
   [INFO] com.example:reproducer:jar:0.0.1-SNAPSHOT
   [INFO] \- org.apache.hadoop:hadoop-client:jar:3.4.3:compile
   [INFO]    +- org.apache.hadoop:hadoop-common:jar:3.4.3:compile
   [INFO]    |  +- 
org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_25:jar:1.5.0:compile
   [INFO]    |  +- 
org.apache.hadoop.thirdparty:hadoop-shaded-guava:jar:1.5.0:compile
   [INFO]    |  +- com.google.guava:guava:jar:32.0.1-jre:compile
   [INFO]    |  |  +- com.google.guava:failureaccess:jar:1.0.1:compile
   [INFO]    |  |  +- 
com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
   [INFO]    |  |  +- org.checkerframework:checker-qual:jar:3.33.0:compile
   [INFO]    |  |  \- com.google.j2objc:j2objc-annotations:jar:2.8:compile
   [INFO]    |  +- commons-cli:commons-cli:jar:1.9.0:compile
   [INFO]    |  +- org.apache.commons:commons-math3:jar:3.6.1:compile
   [INFO]    |  +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
   [INFO]    |  |  \- commons-logging:commons-logging:jar:1.2:compile
   [INFO]    |  +- commons-codec:commons-codec:jar:1.15:compile
   [INFO]    |  +- commons-io:commons-io:jar:2.16.1:compile
   [INFO]    |  +- commons-net:commons-net:jar:3.9.0:compile
   [INFO]    |  +- org.apache.commons:commons-collections4:jar:4.4:compile
   [INFO]    |  +- jakarta.activation:jakarta.activation-api:jar:1.2.1:compile
   [INFO]    |  +- org.eclipse.jetty:jetty-servlet:jar:9.4.57.v20241219:compile
   [INFO]    |  |  +- 
org.eclipse.jetty:jetty-security:jar:9.4.57.v20241219:compile
   [INFO]    |  |  \- 
org.eclipse.jetty:jetty-util-ajax:jar:9.4.57.v20241219:compile
   [INFO]    |  +- org.eclipse.jetty:jetty-webapp:jar:9.4.57.v20241219:compile
   [INFO]    |  |  \- org.eclipse.jetty:jetty-xml:jar:9.4.57.v20241219:compile
   [INFO]    |  +- javax.servlet.jsp:jsp-api:jar:2.1:runtime
   [INFO]    |  +- com.sun.jersey:jersey-servlet:jar:1.19.4:compile
   [INFO]    |  +- ch.qos.reload4j:reload4j:jar:1.2.22:compile
   [INFO]    |  +- org.apache.commons:commons-configuration2:jar:2.10.1:compile
   [INFO]    |  +- org.apache.commons:commons-lang3:jar:3.18.0:compile
   [INFO]    |  +- org.apache.commons:commons-text:jar:1.14.0:compile
   [INFO]    |  +- org.slf4j:slf4j-api:jar:1.7.36:compile
   [INFO]    |  +- org.apache.avro:avro:jar:1.11.4:compile
   [INFO]    |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.14.3:compile
   [INFO]    |  +- com.google.re2j:re2j:jar:1.1:compile
   [INFO]    |  +- com.google.code.gson:gson:jar:2.9.0:compile
   [INFO]    |  +- org.apache.hadoop:hadoop-auth:jar:3.4.3:compile
   [INFO]    |  |  +- com.nimbusds:nimbus-jose-jwt:jar:10.4:compile
   [INFO]    |  |  +- org.apache.curator:curator-framework:jar:5.2.0:compile
   [INFO]    |  |  \- org.apache.kerby:kerb-util:jar:2.0.3:compile
   [INFO]    |  |     +- org.apache.kerby:kerby-config:jar:2.0.3:compile
   [INFO]    |  |     \- org.apache.kerby:kerb-crypto:jar:2.0.3:compile
   [INFO]    |  +- org.apache.curator:curator-client:jar:5.2.0:compile
   [INFO]    |  +- org.apache.curator:curator-recipes:jar:5.2.0:compile
   [INFO]    |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
   [INFO]    |  +- io.netty:netty-handler:jar:4.1.127.Final:compile
   [INFO]    |  |  +- io.netty:netty-common:jar:4.1.127.Final:compile
   [INFO]    |  |  +- io.netty:netty-resolver:jar:4.1.127.Final:compile
   [INFO]    |  |  +- io.netty:netty-buffer:jar:4.1.127.Final:compile
   [INFO]    |  |  +- io.netty:netty-transport:jar:4.1.127.Final:compile
   [INFO]    |  |  +- 
io.netty:netty-transport-native-unix-common:jar:4.1.127.Final:compile
   [INFO]    |  |  \- io.netty:netty-codec:jar:4.1.127.Final:compile
   [INFO]    |  +- 
io.netty:netty-transport-native-epoll:jar:4.1.127.Final:compile
   [INFO]    |  |  \- 
io.netty:netty-transport-classes-epoll:jar:4.1.127.Final:compile
   [INFO]    |  +- io.dropwizard.metrics:metrics-core:jar:3.2.4:compile
   [INFO]    |  +- org.apache.commons:commons-compress:jar:1.26.1:compile
   [INFO]    |  +- org.bouncycastle:bcprov-jdk18on:jar:1.82:compile
   [INFO]    |  +- org.apache.kerby:kerb-core:jar:2.0.3:compile
   [INFO]    |  |  \- org.apache.kerby:kerby-pkix:jar:2.0.3:compile
   [INFO]    |  |     +- org.apache.kerby:kerby-asn1:jar:2.0.3:compile
   [INFO]    |  |     \- org.apache.kerby:kerby-util:jar:2.0.3:compile
   [INFO]    |  +- 
com.fasterxml.jackson.core:jackson-databind:jar:2.12.7.1:compile
   [INFO]    |  +- org.codehaus.woodstox:stax2-api:jar:4.2.1:compile
   [INFO]    |  +- com.fasterxml.woodstox:woodstox-core:jar:5.4.0:compile
   [INFO]    |  +- dnsjava:dnsjava:jar:3.6.1:compile
   [INFO]    |  \- org.xerial.snappy:snappy-java:jar:1.1.10.4:compile
   {...}
   ```
   
   If you follow the advise and then remove the `slf4j-reload4j` `exclusion` 
and re-execute:
   ```
   [INFO] --- dependency:3.10.0:analyze-exclusions (default-cli) @ reproducer 
---
   [INFO] 
   [INFO] --- dependency:3.10.0:tree (default-cli) @ reproducer ---
   [INFO] com.example:reproducer:jar:0.0.1-SNAPSHOT
   [INFO] \- org.apache.hadoop:hadoop-client:jar:3.4.3:compile
   [INFO]    +- org.apache.hadoop:hadoop-common:jar:3.4.3:compile
   {...}
   [INFO]    |  +- org.slf4j:slf4j-reload4j:jar:1.7.36:compile
   ```
   
   You can see the `exclusion` wasn't unused after all, as without it the 
`slf4j-reload4j` dependency appears in the tree


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[I] `analyze-exclusions` returns false positive `unnecessary excludes` [maven-dependency-plugin]

Reply via email to