Just as an alternative: there is also since 3.9 the "reverse dep tree": https://github.com/apache/maven/blob/master/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java#L96-L104
Just pass to Maven `-Dmaven.repo.local.recordReverseTree` and Maven will populate the local repository with "back track info". Ideally just use a new empty local repo for this, as that would pull everything and populate it for all pulled artifacts. HTH T On Sat, Jul 29, 2023 at 10:24 AM Delany <delany.middle...@gmail.com> wrote: > Hi David, > > When I want to know what's bringing in a dependency I use > https://github.com/ferstl/depgraph-maven-plugin > > mvn depgraph:aggregate -DtargetIncludes=:jackson-databind > > And it drops a nice diagram in the root build dir. > > <plugin> > <groupId>com.github.ferstl</groupId> > <artifactId>depgraph-maven-plugin</artifactId> > <version>4.0.2</version> > <configuration> > <createImage>true</createImage> > > > <customStyleConfiguration>classpath:depgraph/depgraph.json</customStyleConfiguration> > <dotArguments>-Kfdp -Goverlap=false -Gstart=30 > -Gsep=+10,10</dotArguments> > <graphFormat>dot</graphFormat> > <mergeScopes>true</mergeScopes> > <showConflicts>true</showConflicts> > <showDuplicates>false</showDuplicates> > > > <repeatTransitiveDependenciesInTextGraph>false</repeatTransitiveDependenciesInTextGraph> > <transitiveExcludes>*</transitiveExcludes> > </configuration> > > Delany > > On Sat, 29 Jul 2023 at 01:29, David Karr <davidmichaelk...@gmail.com> > wrote: > > > In general, I know how to override transient artifact versions. You add > an > > "exclusion" for the artifact on the dependency that is including that > > dependency, and then you manually add that dependency in the same pom > where > > you added the exclusion. In my case, the version I want is defined in a > > bom in our parent pom, so I don't have to specify the version in that > > dependency. > > > > This works fine, if I do this exclusion and inclusion in the overall > "child > > pom". > > > > However, I maintain the parent pom and platform, and there will be dozens > > of "child poms" that will need to do this. I would much rather do this > > "fixup" in the poms for the libraries in our platform. Those poms > specify > > the dependencies whose versions I need to control. > > > > I've been struggling with trying to do this, along with trying to > > understand the output of "mvn dependency:tree" and the apparently > > functionally similar output in the "Dependency Hierarchy" view in Eclipse > > using the m2e plugin. Although I can loosely see the hierarchical output > > from these, I find determining the actual details of where dependencies > are > > coming from is very mystifying. > > > > To get down to actual details, my problem is that I'm ending up with > > different versions of "jackson-core" and "jackson-databind". I need to > > ensure that I have the same versions of both. I am getting v2.14.1 of > > jackson-databind and v2.13.5 of jackson-core. We are specifying v2.13.5 > in > > our parent pom, but somehow something in the tree is giving us v2.14.1 of > > jackson-databind. > > > > I'm going to include here a small excerpt of the "dependency:tree" output > > for our child pom: > > > > com.att.idp:RiskAssessmentMS:jar:2.8.0 > > +- com.att.idp:idp-seed-sdk-core:jar:2.8.0:compile > > +- org.jasypt:jasypt:jar:1.9.3:compile > > +- com.io7m.xom:xom:jar:1.2.10:compile > > +- com.att.idp:idp-health:jar:2.8.0:compile > > | +- org.springframework.boot:spring-boot-actuator:jar:2.7.5:compile > > | +- com.att.idp:idp-logging-core:jar:2.8.0:compile (version selected > from > > constraint [2.8.0,2.8.100)) > > | | \- ch.qos.logback:logback-core:jar:1.2.9:compile > > | +- redis.clients:jedis:jar:3.8.0:compile > > | | \- org.apache.commons:commons-pool2:jar:2.11.1:compile > > | +- com.github.fppt:jedis-mock:jar:0.1.23:compile > > | | \- com.google.auto.value:auto-value-annotations:jar:1.6.2:compile > > | \- com.att.idp.voltage:vibesimplejava:jar:6.21.0.0:compile > > +- com.fasterxml.jackson.core:jackson-core:jar:2.13.4:compile > > +- com.fasterxml.jackson.core:jackson-databind:jar:2.14.1:compile > > > > The "idp-health" library is one of our wrapper libraries. That specifies > > dependencies that pull in jackson-databind, and in those dependencies I > > have excluded jackson-databind and included a specific dependency for > > jackson-databind. As the bom imported from the parent pom specifies > v2.13.5 > > for that, I would expect I would get jackson-databind v2.13.5, but I'm > > still getting v2.14.1. > > > > I'm very confused. > > > > I think I remember seeing discussions in the dev list about improving the > > output of dependency:tree to be clearer, I don't know if there's been any > > progress on that. > > >
