Merging dependency exclusions from dependencyManagement and dependencies

Wed, 15 May 2019 02:17:58 -0700 

Hi all,
I have a question on how effective dependency exclusions are computed. I'd expect that exclusions are additive when specified for the same dependency in the dependencyManagement and dependencies sections. This is also what I read at https://stackoverflow.com/a/10736186 


The output of dependency:tree also confirms this for the project that 
declares the dependency, however the effects are different for another 
project that depends on the former.



I've prepared a simplified example with two projects a and b. You can 
find it at https://github.com/ahubold/test-maven-dependency-exclusion


a/pom.xml
- dependencyManagement for httpclient, excluding commons-logging
- dependency on httpclient, excluding commons-codec

b/pom.xml
- dependency on a


The dependency:tree for a/pom.xml shows that exclusions are additive 
here and neither commons-logging nor commons-codec show up in the 
result. That's fine.


[INFO] a:a:jar:1.0.0-SNAPSHOT
[INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
[INFO]    \- org.apache.httpcomponents:httpcore:jar:4.4.11:compile


But the dependency:tree for b/pom.xml has a transitive dependency to 
commons-logging, which confuses me:


[INFO] b:b:pom:1.0.0-SNAPSHOT
[INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile
[INFO]    \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
[INFO]       +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
[INFO]       \- commons-logging:commons-logging:jar:1.2:compile


I would have expected to not see commons-logging here. Its exclusion 
really seems to be hidden by the exclusion of commons-codec. If I now 
change a/pom.xml and remove the exclusion of commons-codec, then 
commons-logging will disappear from the dependencies:


[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ b ---
[INFO] b:b:pom:1.0.0-SNAPSHOT
[INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile
[INFO]    \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
[INFO]       +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
[INFO]       \- commons-codec:commons-codec:jar:1.11:compile

My maven version is 3.6.0.

Any thoughts? Is this a bug or intended behavior?

Kind regards,
Andreas

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org























					Reply via email to