[ https://issues.apache.org/jira/browse/TIKA-3934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17636242#comment-17636242 ]
Konstantin Gribov edited comment on TIKA-3934 at 11/19/22 10:31 PM: -------------------------------------------------------------------- It seems that it doesn't if the dependency isn't used in the tika artifact in any way (including test dependencies). If I have import for {{org.apache.tika:tika-bom}} and add {{org.apache.tika:tika-core}} and {{io.netty:netty-buffer}} without versions both Maven and Gradle build will fail. On the other hand {{log4j-core}} version (and version constraint in Gradle case) leaks from {{tika-parent}} via {{tika-bom}}. Inconsistently in Maven case. ||Type||Use BOM||tika-core||log4j-core||Result|| |Maven|yes|-|-|log4j-api 2.19.0, log4j-core 2.19.0| |Maven|yes|-|2.18.0|log4j-api 2.19.0, log4j-core 2.18.0| |Maven|no|2.6.0|2.18.0|log4j-api 2.18.0, log4j-core 2.18.0| |Gradle|yes|-|-|log4j-api 2.19.0, log4j-core 2.19.0| |Gradle|yes|-|2.18.0|log4j-api 2.19.0, log4j-core 2.19.0| |Gradle|no|2.6.0|2.18.0|log4j-api 2.18.0, log4j-core 2.18.0| Test Maven project (run {{mvn package}} to see actual dependencies in the output): {code:xml|title=pom.xml} <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>org.example</groupId> <artifactId>bom-test</artifactId> <version>1.0-SNAPSHOT</version> <properties> <maven.compiler.source>17</maven.compiler.source> <maven.compiler.target>17</maven.compiler.target> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> </properties> <dependencyManagement> <dependencies> <dependency> <groupId>org.apache.tika</groupId> <artifactId>tika-bom</artifactId> <version>2.6.0</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies> </dependencyManagement> <dependencies> <dependency> <groupId>org.apache.tika</groupId> <artifactId>tika-core</artifactId> <!--<version>2.6.0</version>--> </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-core</artifactId> <!--<version>2.18.0</version>--> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-dependency-plugin</artifactId> <version>3.3.0</version> <executions> <execution> <id>test</id> <phase>package</phase> <goals> <goal>copy-dependencies</goal> </goals> <configuration> <outputDirectory>${project.build.directory}/deps</outputDirectory> </configuration> </execution> </executions> </plugin> </plugins> </build> </project> {code} Gradle test project (run {{gradle dependencyInsight --dependency log4j}} or {{gradle dependencies --configuration rC}}): {code:groovy|title=settings.gradle.kts} dependencyResolutionManagement { repositories.mavenCentral() } {code} {code:groovy|title=build.gradle.kts} plugins { id("java-library") } dependencies { api(platform("org.apache.tika:tika-bom:2.6.0")) api("org.apache.tika:tika-core") implementation("org.apache.logging.log4j:log4j-core:2.18.0") } {code} was (Author: grossws): It seems that it doesn't, if I have import for {{org.apache.tika:tika-bom}} and add {{org.apache.tika:tika-core}} and {{io.netty:netty-buffer}} without versions both Maven and Gradle build will fail. On the other hand {{log4j-core}} version (and version constraint in Gradle case) leaks from {{tika-parent}} via {{tika-bom}}. ||Type||Use BOM||tika-core||log4j-core||Result|| |Maven|yes|-|-|log4j-api 2.19.0, log4j-core 2.19.0| |Maven|yes|-|2.18.0|log4j-api 2.19.0, log4j-core 2.18.0| |Maven|no|2.6.0.|2.18.0|log4j-api 2.18.0, log4j-core 2.18.0| |Gradle|yes|-|-|log4j-api 2.19.0, log4j-core 2.19.0| |Gradle|yes|-|2.18.0|log4j-api 2.19.0, log4j-core 2.19.0| |Gradle|no|2.6.0|2.18.0|log4j-api 2.18.0, log4j-core 2.18.0| Test Maven project (run {{mvn package}} to see actual dependencies in the output): {code:xml|title=pom.xml} <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>org.example</groupId> <artifactId>bom-test</artifactId> <version>1.0-SNAPSHOT</version> <properties> <maven.compiler.source>17</maven.compiler.source> <maven.compiler.target>17</maven.compiler.target> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> </properties> <dependencyManagement> <dependencies> <dependency> <groupId>org.apache.tika</groupId> <artifactId>tika-bom</artifactId> <version>2.6.0</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies> </dependencyManagement> <dependencies> <dependency> <groupId>org.apache.tika</groupId> <artifactId>tika-core</artifactId> <!--<version>2.6.0</version>--> </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-core</artifactId> <!--<version>2.18.0</version>--> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-dependency-plugin</artifactId> <version>3.3.0</version> <executions> <execution> <id>test</id> <phase>package</phase> <goals> <goal>copy-dependencies</goal> </goals> <configuration> <outputDirectory>${project.build.directory}/deps</outputDirectory> </configuration> </execution> </executions> </plugin> </plugins> </build> </project> {code} Gradle test project (run {{gradle dependencyInsight --dependency log4j}} or {{gradle dependencies --configuration rC}}): {code:kotlin|title=settings.gradle.kts} dependencyResolutionManagement { repositories.mavenCentral() } {code} {code:kotlin|title=build.gradle.kts} plugins { `java-library` } dependencies { api(platform("org.apache.tika:tika-bom:2.6.0")) api("org.apache.tika:tika-core") implementation("org.apache.logging.log4j:log4j-core:2.18.0") } {code} > Reogranize POMs parent chain to avoid leaking dependency management downstream > ------------------------------------------------------------------------------ > > Key: TIKA-3934 > URL: https://issues.apache.org/jira/browse/TIKA-3934 > Project: Tika > Issue Type: Improvement > Components: depedency > Affects Versions: 2.6.0 > Reporter: Konstantin Gribov > Assignee: Konstantin Gribov > Priority: Major > Fix For: 2.6.1, 2.7.0 > > > Tika's BOM (Bill of Materials) artifact has {{tika-parent}} as a parent POM > and thus forces a lot of dependency versions on downstream users. > For example if one use only PDF module there's no reason to force > Netty/Jetty/CXF/whatever versions. > I propose the following: > * make {{tika}} reactor depend on {{tika-parent}} and all other {{tika-*}} > modules on the reactor > * move all our dependency management and build related configuration to the > reactor ({{tika}} root project) > I've started these work last week and will publish first PR for review soon. > Moving parts from {{tika-parent}} to {{tika}} may take some time so little > steps without build disruption is a must -- This message was sent by Atlassian Jira (v8.20.10#820010)