Re: Merging dependency exclusions from dependencyManagement and dependencies
Hi, in my original post I've described that exclusions from the dependencyManagement are used for downstream projects as long as there aren't any exclusions specified at the dependency itself. So the conclusion that dependencyManagement isn't transitive cannot be true, at least for some cases. The actual behavior seems to be inconsistent and rather confusing to me. Can some Maven expert/maintainer please comment on my original question? How is this supposed to work, is this as intended? Thank you, Andreas Andy Feldman wrote on 15.05.19 18:39: I have observed similar behavior with the version number. My conclusion was that dependencyManagement is not transitive. Example of what I observed: I have a project my-library with transitive dependencies on 3rd-party-library version 1.1 and 1.2 that would normally resolve to 1.1. I use dependencyManagement in my-library to override it to 1.2. I use my-library from my-project. my-project gets 3rd-party-library 1.1 instead of 1.2. The docs at https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html suggest that you can manually pull in the dependencyMangement section of another pom. Look for "Z imports the managed dependencies from both X and Y." I haven't tried this approach. On Wed, May 15, 2019 at 2:17 AM Andreas Hubold wrote: Hi all, I have a question on how effective dependency exclusions are computed. I'd expect that exclusions are additive when specified for the same dependency in the dependencyManagement and dependencies sections. This is also what I read at https://stackoverflow.com/a/10736186 The output of dependency:tree also confirms this for the project that declares the dependency, however the effects are different for another project that depends on the former. I've prepared a simplified example with two projects a and b. You can find it at https://github.com/ahubold/test-maven-dependency-exclusion a/pom.xml - dependencyManagement for httpclient, excluding commons-logging - dependency on httpclient, excluding commons-codec b/pom.xml - dependency on a The dependency:tree for a/pom.xml shows that exclusions are additive here and neither commons-logging nor commons-codec show up in the result. That's fine. [INFO] a:a:jar:1.0.0-SNAPSHOT [INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile [INFO]\- org.apache.httpcomponents:httpcore:jar:4.4.11:compile But the dependency:tree for b/pom.xml has a transitive dependency to commons-logging, which confuses me: [INFO] b:b:pom:1.0.0-SNAPSHOT [INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile [INFO]\- org.apache.httpcomponents:httpclient:jar:4.5.8:compile [INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile [INFO] \- commons-logging:commons-logging:jar:1.2:compile I would have expected to not see commons-logging here. Its exclusion really seems to be hidden by the exclusion of commons-codec. If I now change a/pom.xml and remove the exclusion of commons-codec, then commons-logging will disappear from the dependencies: [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ b --- [INFO] b:b:pom:1.0.0-SNAPSHOT [INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile [INFO]\- org.apache.httpcomponents:httpclient:jar:4.5.8:compile [INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile [INFO] \- commons-codec:commons-codec:jar:1.11:compile My maven version is 3.6.0. Any thoughts? Is this a bug or intended behavior? Kind regards, Andreas - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Merging dependency exclusions from dependencyManagement and dependencies
I have observed similar behavior with the version number. My conclusion was that dependencyManagement is not transitive. Example of what I observed: I have a project my-library with transitive dependencies on 3rd-party-library version 1.1 and 1.2 that would normally resolve to 1.1. I use dependencyManagement in my-library to override it to 1.2. I use my-library from my-project. my-project gets 3rd-party-library 1.1 instead of 1.2. The docs at https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html suggest that you can manually pull in the dependencyMangement section of another pom. Look for "Z imports the managed dependencies from both X and Y." I haven't tried this approach. On Wed, May 15, 2019 at 2:17 AM Andreas Hubold wrote: > Hi all, > > I have a question on how effective dependency exclusions are computed. > I'd expect that exclusions are additive when specified for the same > dependency in the dependencyManagement and dependencies sections. This > is also what I read at https://stackoverflow.com/a/10736186 > > The output of dependency:tree also confirms this for the project that > declares the dependency, however the effects are different for another > project that depends on the former. > > I've prepared a simplified example with two projects a and b. You can > find it at https://github.com/ahubold/test-maven-dependency-exclusion > > a/pom.xml > - dependencyManagement for httpclient, excluding commons-logging > - dependency on httpclient, excluding commons-codec > > b/pom.xml > - dependency on a > > The dependency:tree for a/pom.xml shows that exclusions are additive > here and neither commons-logging nor commons-codec show up in the > result. That's fine. > > [INFO] a:a:jar:1.0.0-SNAPSHOT > [INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile > [INFO]\- org.apache.httpcomponents:httpcore:jar:4.4.11:compile > > But the dependency:tree for b/pom.xml has a transitive dependency to > commons-logging, which confuses me: > > [INFO] b:b:pom:1.0.0-SNAPSHOT > [INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile > [INFO]\- org.apache.httpcomponents:httpclient:jar:4.5.8:compile > [INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile > [INFO] \- commons-logging:commons-logging:jar:1.2:compile > > I would have expected to not see commons-logging here. Its exclusion > really seems to be hidden by the exclusion of commons-codec. If I now > change a/pom.xml and remove the exclusion of commons-codec, then > commons-logging will disappear from the dependencies: > > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ b --- > [INFO] b:b:pom:1.0.0-SNAPSHOT > [INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile > [INFO]\- org.apache.httpcomponents:httpclient:jar:4.5.8:compile > [INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile > [INFO] \- commons-codec:commons-codec:jar:1.11:compile > > My maven version is 3.6.0. > > Any thoughts? Is this a bug or intended behavior? > > Kind regards, > Andreas > > - > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > >
Merging dependency exclusions from dependencyManagement and dependencies
Hi all, I have a question on how effective dependency exclusions are computed. I'd expect that exclusions are additive when specified for the same dependency in the dependencyManagement and dependencies sections. This is also what I read at https://stackoverflow.com/a/10736186 The output of dependency:tree also confirms this for the project that declares the dependency, however the effects are different for another project that depends on the former. I've prepared a simplified example with two projects a and b. You can find it at https://github.com/ahubold/test-maven-dependency-exclusion a/pom.xml - dependencyManagement for httpclient, excluding commons-logging - dependency on httpclient, excluding commons-codec b/pom.xml - dependency on a The dependency:tree for a/pom.xml shows that exclusions are additive here and neither commons-logging nor commons-codec show up in the result. That's fine. [INFO] a:a:jar:1.0.0-SNAPSHOT [INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile [INFO] \- org.apache.httpcomponents:httpcore:jar:4.4.11:compile But the dependency:tree for b/pom.xml has a transitive dependency to commons-logging, which confuses me: [INFO] b:b:pom:1.0.0-SNAPSHOT [INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile [INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile [INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile [INFO] \- commons-logging:commons-logging:jar:1.2:compile I would have expected to not see commons-logging here. Its exclusion really seems to be hidden by the exclusion of commons-codec. If I now change a/pom.xml and remove the exclusion of commons-codec, then commons-logging will disappear from the dependencies: [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ b --- [INFO] b:b:pom:1.0.0-SNAPSHOT [INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile [INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile [INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile [INFO] \- commons-codec:commons-codec:jar:1.11:compile My maven version is 3.6.0. Any thoughts? Is this a bug or intended behavior? Kind regards, Andreas - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org