steveloughran commented on PR #8074: URL: https://github.com/apache/hadoop/pull/8074#issuecomment-3516424943
the main thing we need to do with aggregate imports is be confident that when a hadoop-* module imports a dependency d, and d depends on jackson-something, then our choice of jackson artifacts overrides whatever version of jackson-something that artifact d declared. And that is, well, tricky. If some hadoop module says I depend on jackson-bom 2.18 and so we get 2.18 jackson-core that way, it is coming in transitively, one two levels down the tree. If something downstream pulls in hadoop-common and a different jackson-core artifact, whether that different one comes in or not depends on depth down the tree which the artifact was declared (closest to root resolution, not newest version). By importing via a bom.pom we're pushing our dependencies down one level. That doesn't mean it's bad, only that it has consequences in version resolution, consequences which may surface downstream. Note: maven 4 has explicit BOM artifacts; no idea what they bring here. https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Bill_of_Materials_.28BOM.29_POMs -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
