brunoborges opened a new issue, #1637:
URL: https://github.com/apache/maven-dependency-plugin/issues/1637
### Affected version
`maven-dependency-plugin` `master` (3.11.1-SNAPSHOT), introduced with the
`dependency:add` goal (#1599).
### Description
When running `dependency:add` with an **explicit version** on a project that
has version-less dependencies managed by a **BOM import**, the dependency is
incorrectly added to `<dependencyManagement>` of the **current** POM instead of
`<dependencies>`.
This is exactly the layout produced by the standard
`maven-archetype-quickstart` archetype: a `junit-bom` `import` in
`<dependencyManagement>`, plus version-less `junit-jupiter-*` entries in
`<dependencies>`.
### Steps to reproduce
Given a quickstart-style `pom.xml`:
```xml
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.junit</groupId>
<artifactId>junit-bom</artifactId>
<version>5.11.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-api</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-params</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
```
Run:
```bash
mvn dependency:add -Dgav=org.apache.commons:commons-lang3:3.20.0
```
### Expected
`commons-lang3:3.20.0` is added to `<dependencies>` (with its version).
### Actual
`commons-lang3` is added to the current POM's `<dependencyManagement>`
instead. Because there is no separate `<dependencies>` entry, the dependency is
not actually added to the project.
### Root cause
With the default `align=true`, `detectConventions()` flags the project as
"uses managed dependencies" purely because the majority of `<dependencies>` are
version-less:
```java
long totalDeps = getDependencyCount(editor, false); // 2
List<String> depVersions = getDependencyVersions(editor, false); // []
(version-less)
if (totalDeps > 0 && depVersions.size() < totalDeps / 2.0) { // true
conv.useManaged = true;
}
```
But those dependencies are version-less only because their versions come
from the imported BOM. There is no parent POM (`findManagedDepsPom()` returns
`null`), so the cross-POM path is skipped and the managed dependency is written
into the current POM's `<dependencyManagement>`.
This contradicts the documented behavior of the `align` parameter, whose
Javadoc states the convention is to *"add managed dependency to **parent
POM**"*.
### Proposed fix
The auto-detected `useManaged` convention should only apply when a separate
parent POM exists to host the managed dependency. For a single/leaf POM, a
versioned add should go to `<dependencies>`. Explicit `-Dmanaged=true`
continues to target `<dependencyManagement>` as before.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
