Merging dependency exclusions from dependencyManagement and dependencies

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Merging dependency exclusions from dependencyManagement and dependencies

Andreas Hubold
Hi all,

I have a question on how effective dependency exclusions are computed.
I'd expect that exclusions are additive when specified for the same
dependency in the dependencyManagement and dependencies sections. This
is also what I read at https://stackoverflow.com/a/10736186

The output of dependency:tree also confirms this for the project that
declares the dependency, however the effects are different for another
project that depends on the former.

I've prepared a simplified example with two projects a and b. You can
find it at https://github.com/ahubold/test-maven-dependency-exclusion

a/pom.xml
- dependencyManagement for httpclient, excluding commons-logging
- dependency on httpclient, excluding commons-codec

b/pom.xml
- dependency on a

The dependency:tree for a/pom.xml shows that exclusions are additive
here and neither commons-logging nor commons-codec show up in the
result. That's fine.

[INFO] a:a:jar:1.0.0-SNAPSHOT
[INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
[INFO]    \- org.apache.httpcomponents:httpcore:jar:4.4.11:compile

But the dependency:tree for b/pom.xml has a transitive dependency to
commons-logging, which confuses me:

[INFO] b:b:pom:1.0.0-SNAPSHOT
[INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile
[INFO]    \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
[INFO]       +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
[INFO]       \- commons-logging:commons-logging:jar:1.2:compile

I would have expected to not see commons-logging here. Its exclusion
really seems to be hidden by the exclusion of commons-codec. If I now
change a/pom.xml and remove the exclusion of commons-codec, then
commons-logging will disappear from the dependencies:

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ b ---
[INFO] b:b:pom:1.0.0-SNAPSHOT
[INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile
[INFO]    \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
[INFO]       +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
[INFO]       \- commons-codec:commons-codec:jar:1.11:compile

My maven version is 3.6.0.

Any thoughts? Is this a bug or intended behavior?

Kind regards,
Andreas

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Merging dependency exclusions from dependencyManagement and dependencies

Andy Feldman
I have observed similar behavior with the version number. My conclusion was
that dependencyManagement is not transitive.

Example of what I observed: I have a project my-library with transitive
dependencies on 3rd-party-library version 1.1 and 1.2 that would normally
resolve to 1.1. I use dependencyManagement in my-library to override it to
1.2. I use my-library from my-project. my-project gets
3rd-party-library 1.1 instead of 1.2.

The docs at
https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html
suggest
that you can manually pull in the dependencyMangement section of another
pom. Look for "Z imports the managed dependencies from both X and Y." I
haven't tried this approach.


On Wed, May 15, 2019 at 2:17 AM Andreas Hubold <[hidden email]>
wrote:

> Hi all,
>
> I have a question on how effective dependency exclusions are computed.
> I'd expect that exclusions are additive when specified for the same
> dependency in the dependencyManagement and dependencies sections. This
> is also what I read at https://stackoverflow.com/a/10736186
>
> The output of dependency:tree also confirms this for the project that
> declares the dependency, however the effects are different for another
> project that depends on the former.
>
> I've prepared a simplified example with two projects a and b. You can
> find it at https://github.com/ahubold/test-maven-dependency-exclusion
>
> a/pom.xml
> - dependencyManagement for httpclient, excluding commons-logging
> - dependency on httpclient, excluding commons-codec
>
> b/pom.xml
> - dependency on a
>
> The dependency:tree for a/pom.xml shows that exclusions are additive
> here and neither commons-logging nor commons-codec show up in the
> result. That's fine.
>
> [INFO] a:a:jar:1.0.0-SNAPSHOT
> [INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
> [INFO]    \- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
>
> But the dependency:tree for b/pom.xml has a transitive dependency to
> commons-logging, which confuses me:
>
> [INFO] b:b:pom:1.0.0-SNAPSHOT
> [INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile
> [INFO]    \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
> [INFO]       +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
> [INFO]       \- commons-logging:commons-logging:jar:1.2:compile
>
> I would have expected to not see commons-logging here. Its exclusion
> really seems to be hidden by the exclusion of commons-codec. If I now
> change a/pom.xml and remove the exclusion of commons-codec, then
> commons-logging will disappear from the dependencies:
>
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ b ---
> [INFO] b:b:pom:1.0.0-SNAPSHOT
> [INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile
> [INFO]    \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
> [INFO]       +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
> [INFO]       \- commons-codec:commons-codec:jar:1.11:compile
>
> My maven version is 3.6.0.
>
> Any thoughts? Is this a bug or intended behavior?
>
> Kind regards,
> Andreas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Merging dependency exclusions from dependencyManagement and dependencies

Andreas Hubold
Hi,

in my original post I've described that exclusions from the
dependencyManagement are used for downstream projects as long as there
aren't any exclusions specified at the dependency itself. So the
conclusion that dependencyManagement isn't transitive cannot be true, at
least for some cases. The actual behavior seems to be inconsistent and
rather confusing to me.

Can some Maven expert/maintainer please comment on my original question?
How is this supposed to work, is this as intended?

Thank you,
Andreas

Andy Feldman wrote on 15.05.19 18:39:

> I have observed similar behavior with the version number. My conclusion was
> that dependencyManagement is not transitive.
>
> Example of what I observed: I have a project my-library with transitive
> dependencies on 3rd-party-library version 1.1 and 1.2 that would normally
> resolve to 1.1. I use dependencyManagement in my-library to override it to
> 1.2. I use my-library from my-project. my-project gets
> 3rd-party-library 1.1 instead of 1.2.
>
> The docs at
> https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html
> suggest
> that you can manually pull in the dependencyMangement section of another
> pom. Look for "Z imports the managed dependencies from both X and Y." I
> haven't tried this approach.
>
>
> On Wed, May 15, 2019 at 2:17 AM Andreas Hubold <[hidden email]>
> wrote:
>
>> Hi all,
>>
>> I have a question on how effective dependency exclusions are computed.
>> I'd expect that exclusions are additive when specified for the same
>> dependency in the dependencyManagement and dependencies sections. This
>> is also what I read at https://stackoverflow.com/a/10736186
>>
>> The output of dependency:tree also confirms this for the project that
>> declares the dependency, however the effects are different for another
>> project that depends on the former.
>>
>> I've prepared a simplified example with two projects a and b. You can
>> find it at https://github.com/ahubold/test-maven-dependency-exclusion
>>
>> a/pom.xml
>> - dependencyManagement for httpclient, excluding commons-logging
>> - dependency on httpclient, excluding commons-codec
>>
>> b/pom.xml
>> - dependency on a
>>
>> The dependency:tree for a/pom.xml shows that exclusions are additive
>> here and neither commons-logging nor commons-codec show up in the
>> result. That's fine.
>>
>> [INFO] a:a:jar:1.0.0-SNAPSHOT
>> [INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
>> [INFO]    \- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
>>
>> But the dependency:tree for b/pom.xml has a transitive dependency to
>> commons-logging, which confuses me:
>>
>> [INFO] b:b:pom:1.0.0-SNAPSHOT
>> [INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile
>> [INFO]    \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
>> [INFO]       +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
>> [INFO]       \- commons-logging:commons-logging:jar:1.2:compile
>>
>> I would have expected to not see commons-logging here. Its exclusion
>> really seems to be hidden by the exclusion of commons-codec. If I now
>> change a/pom.xml and remove the exclusion of commons-codec, then
>> commons-logging will disappear from the dependencies:
>>
>> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ b ---
>> [INFO] b:b:pom:1.0.0-SNAPSHOT
>> [INFO] \- a:a:jar:1.0.0-SNAPSHOT:compile
>> [INFO]    \- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
>> [INFO]       +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
>> [INFO]       \- commons-codec:commons-codec:jar:1.11:compile
>>
>> My maven version is 3.6.0.
>>
>> Any thoughts? Is this a bug or intended behavior?
>>
>> Kind regards,
>> Andreas
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]