Graham, you would just list the updated logger 1.0.1 dependency in your own POM. Maven will prefer that because it is "closer" and override 1.0 in Sally's POM.
> -----Original Message----- > From: Graham Lea [mailto:[EMAIL PROTECTED] > Sent: Friday, June 30, 2006 6:27 PM > To: users@maven.apache.org > Subject: [m2] Transitive Dependency Questions > > Hi all > > I am new to using Maven2 and am concerned about the behaviour of > transitive dependencies. > In particular, I foresee certain situations where automated > transitive > dependencies, controlled by a third party, could be a Bad Thing. > I have documented two such situations below. > If anybody knows of and can explain ways in which Maven attempts to > handle or allows someone to themselves account for these kinds of > situations, I would be most appreciative if you could describe it or > give a reference. (Not to source code, please.) ;-) > > Thanks very much, > > Graham. > > > *Scenario One* > 1. Bob makes Bob's Ace Logger, v1.0 > 2. Sally makes Sally's Awesome Web Framework, v2.0, and it depends on > Bob's Ace Logger v1.0 > 3. I tell Maven I want Sally's Awesome Web Framework, v2.0, and it > automatically downloads both it and Bob's Ace Logger v1.0 > 4. Bob realises there is a crucial security flaw in v1.0 of > his logger, > fixes it and releases 1.0.1, which is interface- and > functionally-compatible with 1.0 > 5. Sally doesn't know about Bob's security flaw or the update > 6. Because Sally never updates her POM, my application > continues to use > the flawed logger > > > *Scenario Two > */(1-4 are the same)/* > */1. Bob makes Bob's Ace Logger, v1.0 > 2. Sally makes Sally's Awesome Web Framework, v2.0, and it depends on > Bob's Ace Logger v1.0 > 3. I tell Maven I want Sally's Awesome Web Framework, v2.0, and it > automatically downloads both it and Bob's Ace Logger v1.0 > 4. Bob realises there is a crucial security flaw in v1.0 of > his logger, > fixes it and releases 1.0.1, which is interface- and > functionally-compatible with 1.0 > / 5. Sally has been working on Sally's Awesome Web Framework, > v3.0, and > changes it to use the updated Bob's Ace Logger v1.0.1 > 6. For reasons known only to my manager, I am not allowed to > upgrade to > Sally's v3.0 framework, so have to continue using 2.0, which > relies on > Bob's flawed Logger 1.0 > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
