gnodet opened a new issue, #12302:
URL: https://github.com/apache/maven/issues/12302
## Description
Maven 4's default `TransitiveDependencyManager` (enabled when
`maven3Personality=false`) changes dependency mediation behavior compared to
Maven 3's `ClassicDependencyManager`. This causes two categories of regressions:
### 1. Scope derivation excludes transitive compile deps through provided
parents
When a project declares a dependency with `provided` scope,
`TransitiveDependencyManager` derives the effective scope of its transitive
compile-scoped dependencies **during** collection (e.g., `provided × compile =
provided`). The `ScopeDependencySelector.legacy(null, ["test", "provided"])`
then filters them out at depth ≥ 1.
In Maven 3, scope derivation only happened **after** collection in the
`DependencyGraphTransformer`, so the selector saw the declared scope `compile`
and left the nodes in.
**Affected projects:** `hadoop-api-shim`, `flink-connector-hive`
Example dependency chain:
```
hadoop-api-shim
└── hadoop-common (scope: provided)
├── hadoop-annotations (scope: compile → derived: provided →
EXCLUDED)
└── jsr305 (scope: compile → derived: provided → EXCLUDED)
```
### 2. Managed version application to transitive dependencies
`TransitiveDependencyManager` applies `<dependencyManagement>` versions at
ALL depths during collection, not just to direct dependencies. This can
**downgrade** transitive dependency versions, triggering
`RequireUpperBoundDeps` and `BannedDependencies` enforcer rule violations that
pass with Maven 3.
**Affected projects:** `guacamole-client`, `logging-log4j-samples`,
`netbeans-html4j`
Example (guacamole-client):
```
Require upper bound dependencies error for
com.google.code.findbugs:jsr305:3.0.1
+-guacamole-auth-header:1.6.1
+-guice:5.1.0
+-guava:32.1.3-jre (managed) <-- guava:30.1-jre
+-jsr305:3.0.1 (managed) <-- jsr305:3.0.2
```
Note the `(managed)` annotations — Maven 4 is applying the parent's
`dependencyManagement` to transitive deps, downgrading jsr305 from 3.0.2 to
3.0.1.
## Root cause
`TransitiveDependencyManager.manageDependency()` applies managed
versions/scopes at depth ≥ 2 during collection. Maven 3's
`ClassicDependencyManager` did not do this — version management and scope
derivation were handled post-collection in the graph transformer.
## Workaround
`-Dmaven.maven3Personality=true` reverts to `ClassicDependencyManager`
behavior.
## Suggested fix
`ScopeDependencySelector.legacy` should use declared scopes from the POM,
not derived scopes. The transitive version management should match Maven 3's
behavior where managed versions are applied post-collection.
## Reproducers
```bash
# Scope derivation issue
git clone https://github.com/apache/hadoop-api-shim.git && cd hadoop-api-shim
mvn -B -e clean package -DskipTests
# Enforcer mediation issue
git clone https://github.com/apache/guacamole-client.git && cd
guacamole-client
mvn -B -e clean package -DskipTests
```
## Context
Found during [Maven 4 compatibility
testing](https://github.com/gnodet/maven4-testing/issues/13307) of Apache
projects. Detailed root cause analysis in [hadoop-api-shim
issue](https://github.com/gnodet/maven4-testing/issues/20241#issuecomment-4735787197).
_Claude Code on behalf of Guillaume Nodet_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
