> Is it because the oci-java-sdk is 2 hops from my pom and the jackson-bom
is 3 hops?
Yes, my experience tells that the distance from your pom matters.
> Is there anything I can do to control this such that the versions defined
in my parent "win"?
No, I think you can only import jackson-bom of
I'm quite interested in this conversation as in my experience the process
of producing & consuming BOMs is still misunderstood.
Regarding 3rd party dependencies in a BOM, I've seen 2 main usages of BOMs.
- library BOM: defines *only* those modules belonging to the same
multi-project. Examples:
Actually, I'd say those BOMs probably shouldn't declare jackson. The
project's dependencies should be enough, and you explicitly declare the
version you need/want to use.
In the case of the OCI BOM, it seems quite clear that it mistakenly
inherits dependency management from it's parent POM: most
Not sure the behavior in your particular case is exactly documented. but it
is sure that the depth in the dependency tree and order at the same level
plays a role.
You can find some hints inside an Andres Almiray blog post:
http://andresalmiray.com/maven-dependencies-pop-quiz-results/
One
Hi,
I have the following structure in my pom:
My pom <- import oci-java-sdk-bom <- parent = ocj-java-sdk
^
|
parent = spring-boot-starter-parent
^
|
parent = spring-boot-dependencies <- import jackson-bom
Both jackson-bom and oci-java-sdk have a dependency management section and
declare