In general, I know how to override transient artifact versions. You add an "exclusion" for the artifact on the dependency that is including that dependency, and then you manually add that dependency in the same pom where you added the exclusion. In my case, the version I want is defined in a bom in our parent pom, so I don't have to specify the version in that dependency.
This works fine, if I do this exclusion and inclusion in the overall "child pom". However, I maintain the parent pom and platform, and there will be dozens of "child poms" that will need to do this. I would much rather do this "fixup" in the poms for the libraries in our platform. Those poms specify the dependencies whose versions I need to control. I've been struggling with trying to do this, along with trying to understand the output of "mvn dependency:tree" and the apparently functionally similar output in the "Dependency Hierarchy" view in Eclipse using the m2e plugin. Although I can loosely see the hierarchical output from these, I find determining the actual details of where dependencies are coming from is very mystifying. To get down to actual details, my problem is that I'm ending up with different versions of "jackson-core" and "jackson-databind". I need to ensure that I have the same versions of both. I am getting v2.14.1 of jackson-databind and v2.13.5 of jackson-core. We are specifying v2.13.5 in our parent pom, but somehow something in the tree is giving us v2.14.1 of jackson-databind. I'm going to include here a small excerpt of the "dependency:tree" output for our child pom: com.att.idp:RiskAssessmentMS:jar:2.8.0 +- com.att.idp:idp-seed-sdk-core:jar:2.8.0:compile +- org.jasypt:jasypt:jar:1.9.3:compile +- com.io7m.xom:xom:jar:1.2.10:compile +- com.att.idp:idp-health:jar:2.8.0:compile | +- org.springframework.boot:spring-boot-actuator:jar:2.7.5:compile | +- com.att.idp:idp-logging-core:jar:2.8.0:compile (version selected from constraint [2.8.0,2.8.100)) | | \- ch.qos.logback:logback-core:jar:1.2.9:compile | +- redis.clients:jedis:jar:3.8.0:compile | | \- org.apache.commons:commons-pool2:jar:2.11.1:compile | +- com.github.fppt:jedis-mock:jar:0.1.23:compile | | \- com.google.auto.value:auto-value-annotations:jar:1.6.2:compile | \- com.att.idp.voltage:vibesimplejava:jar:6.21.0.0:compile +- com.fasterxml.jackson.core:jackson-core:jar:2.13.4:compile +- com.fasterxml.jackson.core:jackson-databind:jar:2.14.1:compile The "idp-health" library is one of our wrapper libraries. That specifies dependencies that pull in jackson-databind, and in those dependencies I have excluded jackson-databind and included a specific dependency for jackson-databind. As the bom imported from the parent pom specifies v2.13.5 for that, I would expect I would get jackson-databind v2.13.5, but I'm still getting v2.14.1. I'm very confused. I think I remember seeing discussions in the dev list about improving the output of dependency:tree to be clearer, I don't know if there's been any progress on that.
