[jira] [Created] (MRESOLVER-503) Differences between results of dependency:tree and direct resolver API calls

Thu, 29 Feb 2024 08:21:04 -0800 

Alexey Loubyansky created MRESOLVER-503:
-------------------------------------------

             Summary: Differences between results of dependency:tree and direct 
resolver API calls
                 Key: MRESOLVER-503
                 URL: https://issues.apache.org/jira/browse/MRESOLVER-503
             Project: Maven Resolver
          Issue Type: New Feature
          Components: Resolver
            Reporter: Alexey Loubyansky


I noticed a difference in dependency trees produced by dependency:tree and what 
seems to be an equivalent invocation of the resolver using its API.

It can be reproduced by applying the following change to the maven-resolver 
demo class 
[https://github.com/apache/maven-resolver/compare/master...aloubyansky:maven-resolver:dep-tree-diff?expand=1]

Running that results in
{code:java}
com.microsoft.azure:msal4j:jar:1.13.1.redhat-00001
+- com.nimbusds:oauth2-oidc-sdk:jar:9.35 [compile]
|  +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1 [compile]
|  +- com.nimbusds:content-type:jar:2.2 [compile]
|  +- net.minidev:json-smart:jar:2.4.8 [compile]
|  +- com.nimbusds:lang-tag:jar:1.6 [compile]
|  \- com.nimbusds:nimbus-jose-jwt:jar:9.22 [compile]
+- org.slf4j:slf4j-api:jar:1.7.36.redhat-00002 [compile]
\- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.1 [compile] {code}
Notice the position of json-smart in the tree - it's a dependency of 
oauth2-oidc-sdk in this case.

Now
{code:java}
cd ~/.m2/repository/com/microsoft/azure/msal4j/1.13.1.redhat-00001{code}
{code:java}
mvn dependency:tree -f msal4j-1.13.1.redhat-00001.pom -Dscope=compile
{code}
The output is
{code:java}
[INFO] com.microsoft.azure:msal4j:jar:1.13.1.redhat-00001
[INFO] +- com.nimbusds:oauth2-oidc-sdk:jar:9.35:compile
[INFO] |  +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
[INFO] |  +- com.nimbusds:content-type:jar:2.2:compile
[INFO] |  +- com.nimbusds:lang-tag:jar:1.6:compile
[INFO] |  \- com.nimbusds:nimbus-jose-jwt:jar:9.22:compile
[INFO] +- net.minidev:json-smart:jar:2.4.8:compile
[INFO] |  \- net.minidev:accessors-smart:jar:2.4.8:compile
[INFO] |     \- org.ow2.asm:asm:jar:9.1:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.36.redhat-00002:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.6:provided
[INFO] \- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.1:compile
[INFO]    +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.2:compile
[INFO]    \- com.fasterxml.jackson.core:jackson-core:jar:2.13.2:compile {code}
In this case json-smart is shown as a direct dependency of msal4j, which it is 
in its POM.

Following the preference of the nearest to the root, dependency:tree seems to 
be correct, isn't it?

In any case, I'd expect the same result (for compile scope) dependencies out of 
of both approaches. Thanks.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to