[jira] [Commented] (HADOOP-19503) Use jackson-bom to set jackson versions

Tue, 11 Nov 2025 03:30:28 -0800 


    [ 
https://issues.apache.org/jira/browse/HADOOP-19503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18037409#comment-18037409
 ] 

ASF GitHub Bot commented on HADOOP-19503:
-----------------------------------------

steveloughran commented on PR #8074:
URL: https://github.com/apache/hadoop/pull/8074#issuecomment-3516424943

   the main thing we need to do with aggregate imports is be confident that 
when a hadoop-* module imports a dependency d, and d depends on 
jackson-something, then our choice of jackson artifacts overrides whatever 
version of jackson-something that artifact d declared.
   
   And that is, well, tricky. 
   
   If some hadoop module says I depend on jackson-bom 2.18 and so we get 2.18 
jackson-core that way, it is coming in transitively, one two levels down the 
tree. If something downstream pulls in hadoop-common and a different 
jackson-core artifact, whether that different one comes in or not depends on 
depth down the tree which the artifact was declared (closest to root 
resolution, not newest version). 
   By importing via a bom.pom we're pushing our dependencies down one level.
   
   That doesn't mean it's bad, only that it has consequences in version 
resolution, consequences which may surface downstream.
   
   Note: maven 4 has explicit BOM artifacts; no idea what they bring here.
   
https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Bill_of_Materials_.28BOM.29_POMs




> Use jackson-bom to set jackson versions
> ---------------------------------------
>
>                 Key: HADOOP-19503
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19503
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Istvan Toth
>            Assignee: Istvan Toth
>            Priority: Minor
>              Labels: pull-request-available
>
> It is much easier to maintain than the current direct dependencyManagement 
> entries.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to