[jira] [Commented] (MNG-5988) Dependency mediation should prioritize transitive dependencies based on scope.

[Jostein Gogstad (JIRA)]

    [ 
https://issues.apache.org/jira/browse/MNG-5988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15354679#comment-15354679
 ] 

Jostein Gogstad commented on MNG-5988:
--------------------------------------

That's true, explicitly depending on some transitive dependency some library 
needs will force maven to use that version. It's the easiest solution, but the 
problem is unexpected and it is some times difficult to detect which library to 
depend on.

When a test-scoped dependency requires a _different_ (not necessarily newer) 
version of a library at shallow depth, maven has two choices:
# Package the test-scoped version, strictly adhering to nearest-definition and 
possibly downgrading the library that production code requires.
# Package the compile/runtime scoped version, possibly downgrading the library 
that test code requires

Alternative 2 is the better option of these choices because errors as a result 
of conflicting dependencies are detected earlier and they don't affect 
production code. CI being fairly common among development teams these days will 
catch errors resulting from choosing the "wrong" library when the tests are 
run. On the other hand, it the tests gets to dictate which library are chosen, 
errors aren't visible until the application is run. Even though the transitive 
dependencies are compile scoped, it won't matter since the direct dependency is 
already compiled.

Maven should use "nearest definition" when choosing dependencies, but it 
consider the scope of the direct dependency when doing so.

> Dependency mediation should prioritize transitive dependencies based on scope.
> ------------------------------------------------------------------------------
>
>                 Key: MNG-5988
>                 URL: https://issues.apache.org/jira/browse/MNG-5988
>             Project: Maven
>          Issue Type: Bug
>          Components: Dependencies
>    Affects Versions: 3.2.3
>            Reporter: Jostein Gogstad
>
> The 
> [documentation|https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html]
>  states that dependency mediation only supports "nearest definition", 
> regardless of the scope of the parent dependency.
> If both compile- and test scoped dependencies shares the same transitive 
> dependency, the test-scoped one will win if it has shallower depth. That in 
> turn will lead to runtime exceptions since the transitive dependency is no 
> longer on the classpath.
> Take the following pom from a typical [Spring 
> Boot|http://projects.spring.io/spring-boot/] application. Since the 
> {{camel-test-spring}} dependency also depends on spring, it wins and Spring 
> is no longer available to the application at runtime.
> {code:xml}
> <project xmlns="http://maven.apache.org/POM/4.0.0"; 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
> http://maven.apache.org/maven-v4_0_0.xsd";>
>     <modelVersion>4.0.0</modelVersion>
>     <groupId>com.example</groupId>
>     <artifactId>bugreport</artifactId>
>     <packaging>jar</packaging>
>     <version>1.0.0-SNAPSHOT</version>
>     <dependencies>
>         <dependency>
>             <groupId>org.springframework.boot</groupId>
>             <artifactId>spring-boot-starter-web</artifactId>
>             <version>1.3.2.RELEASE</version>
>         </dependency>
>         <dependency>
>             <groupId>org.apache.camel</groupId>
>             <artifactId>camel-test-spring</artifactId>
>             <version>2.16.2</version>
>             <scope>test</scope>
>         </dependency>
>     </dependencies>
> </project>
> {code}
> Now look for {{spring-beans}} or {{spring-context}} in the following 
> dependency graphs:
> {code:xml|title=mvn dependency:tree (with camel-test-spring)}
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ bugreport ---
> [INFO] com.example:bugreport:jar:1.0.0-SNAPSHOT
> [INFO] +- 
> org.springframework.boot:spring-boot-starter-web:jar:1.3.2.RELEASE:compile
> [INFO] |  +- 
> org.springframework.boot:spring-boot-starter:jar:1.3.2.RELEASE:compile
> [INFO] |  |  +- org.springframework.boot:spring-boot:jar:1.3.2.RELEASE:compile
> [INFO] |  |  +- 
> org.springframework.boot:spring-boot-autoconfigure:jar:1.3.2.RELEASE:compile
> [INFO] |  |  +- 
> org.springframework.boot:spring-boot-starter-logging:jar:1.3.2.RELEASE:compile
> [INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.1.3:compile
> [INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.1.3:compile
> [INFO] |  |  |  +- org.slf4j:jcl-over-slf4j:jar:1.7.13:compile
> [INFO] |  |  |  +- org.slf4j:jul-to-slf4j:jar:1.7.13:compile
> [INFO] |  |  |  \- org.slf4j:log4j-over-slf4j:jar:1.7.13:compile
> [INFO] |  |  \- org.yaml:snakeyaml:jar:1.16:runtime
> [INFO] |  +- 
> org.springframework.boot:spring-boot-starter-tomcat:jar:1.3.2.RELEASE:compile
> [INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.0.30:compile
> [INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.0.30:compile
> [INFO] |  |  +- 
> org.apache.tomcat.embed:tomcat-embed-logging-juli:jar:8.0.30:compile
> [INFO] |  |  \- 
> org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.0.30:compile
> [INFO] |  +- 
> org.springframework.boot:spring-boot-starter-validation:jar:1.3.2.RELEASE:compile
> [INFO] |  |  \- org.hibernate:hibernate-validator:jar:5.2.2.Final:compile
> [INFO] |  |     +- javax.validation:validation-api:jar:1.1.0.Final:compile
> [INFO] |  |     +- org.jboss.logging:jboss-logging:jar:3.2.1.Final:compile
> [INFO] |  |     \- com.fasterxml:classmate:jar:1.1.0:compile
> [INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.6.5:compile
> [INFO] |  |  +- 
> com.fasterxml.jackson.core:jackson-annotations:jar:2.6.0:compile
> [INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.6.5:compile
> [INFO] |  +- org.springframework:spring-web:jar:4.2.4.RELEASE:compile
> [INFO] |  \- org.springframework:spring-webmvc:jar:4.2.4.RELEASE:compile
> [INFO] \- org.apache.camel:camel-test-spring:jar:2.16.2:test
> [INFO]    +- org.apache.camel:camel-test:jar:2.16.2:test
> [INFO]    |  +- org.apache.camel:camel-core:jar:2.16.2:test
> [INFO]    |  |  \- org.slf4j:slf4j-api:jar:1.6.6:compile
> [INFO]    |  \- junit:junit:jar:4.11:test
> [INFO]    |     \- org.hamcrest:hamcrest-core:jar:1.3:test
> [INFO]    +- org.apache.camel:camel-spring:jar:2.16.2:test
> [INFO]    +- org.springframework:spring-test:jar:4.1.9.RELEASE:test
> [INFO]    +- org.springframework:spring-context:jar:4.1.9.RELEASE:compile
> [INFO]    +- org.springframework:spring-beans:jar:4.1.9.RELEASE:compile
> [INFO]    +- org.springframework:spring-expression:jar:4.1.9.RELEASE:compile
> [INFO]    +- org.springframework:spring-aop:jar:4.1.9.RELEASE:compile
> [INFO]    |  \- aopalliance:aopalliance:jar:1.0:compile
> [INFO]    +- org.springframework:spring-tx:jar:4.1.9.RELEASE:test
> [INFO]    +- org.springframework:spring-core:jar:4.1.9.RELEASE:compile
> [INFO]    |  \- commons-logging:commons-logging:jar:1.2:compile
> [INFO]    +- com.sun.xml.bind:jaxb-core:jar:2.2.11:test
> [INFO]    \- com.sun.xml.bind:jaxb-impl:jar:2.2.11:test
> {code}
> {code:xml|title=mvn dependency:tree (without camel-test-spring)}
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ bugreport ---
> [INFO] com.example:bugreport:jar:1.0.0-SNAPSHOT
> [INFO] \- 
> org.springframework.boot:spring-boot-starter-web:jar:1.3.2.RELEASE:compile
> [INFO]    +- 
> org.springframework.boot:spring-boot-starter:jar:1.3.2.RELEASE:compile
> [INFO]    |  +- org.springframework.boot:spring-boot:jar:1.3.2.RELEASE:compile
> [INFO]    |  +- 
> org.springframework.boot:spring-boot-autoconfigure:jar:1.3.2.RELEASE:compile
> [INFO]    |  +- 
> org.springframework.boot:spring-boot-starter-logging:jar:1.3.2.RELEASE:compile
> [INFO]    |  |  +- ch.qos.logback:logback-classic:jar:1.1.3:compile
> [INFO]    |  |  |  +- ch.qos.logback:logback-core:jar:1.1.3:compile
> [INFO]    |  |  |  \- org.slf4j:slf4j-api:jar:1.7.7:compile
> [INFO]    |  |  +- org.slf4j:jcl-over-slf4j:jar:1.7.13:compile
> [INFO]    |  |  +- org.slf4j:jul-to-slf4j:jar:1.7.13:compile
> [INFO]    |  |  \- org.slf4j:log4j-over-slf4j:jar:1.7.13:compile
> [INFO]    |  +- org.springframework:spring-core:jar:4.2.4.RELEASE:compile
> [INFO]    |  \- org.yaml:snakeyaml:jar:1.16:runtime
> [INFO]    +- 
> org.springframework.boot:spring-boot-starter-tomcat:jar:1.3.2.RELEASE:compile
> [INFO]    |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.0.30:compile
> [INFO]    |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.0.30:compile
> [INFO]    |  +- 
> org.apache.tomcat.embed:tomcat-embed-logging-juli:jar:8.0.30:compile
> [INFO]    |  \- 
> org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.0.30:compile
> [INFO]    +- 
> org.springframework.boot:spring-boot-starter-validation:jar:1.3.2.RELEASE:compile
> [INFO]    |  \- org.hibernate:hibernate-validator:jar:5.2.2.Final:compile
> [INFO]    |     +- javax.validation:validation-api:jar:1.1.0.Final:compile
> [INFO]    |     +- org.jboss.logging:jboss-logging:jar:3.2.1.Final:compile
> [INFO]    |     \- com.fasterxml:classmate:jar:1.1.0:compile
> [INFO]    +- com.fasterxml.jackson.core:jackson-databind:jar:2.6.5:compile
> [INFO]    |  +- 
> com.fasterxml.jackson.core:jackson-annotations:jar:2.6.0:compile
> [INFO]    |  \- com.fasterxml.jackson.core:jackson-core:jar:2.6.5:compile
> [INFO]    +- org.springframework:spring-web:jar:4.2.4.RELEASE:compile
> [INFO]    |  +- org.springframework:spring-aop:jar:4.2.4.RELEASE:compile
> [INFO]    |  |  \- aopalliance:aopalliance:jar:1.0:compile
> [INFO]    |  +- org.springframework:spring-beans:jar:4.2.4.RELEASE:compile
> [INFO]    |  \- org.springframework:spring-context:jar:4.2.4.RELEASE:compile
> [INFO]    \- org.springframework:spring-webmvc:jar:4.2.4.RELEASE:compile
> [INFO]       \- 
> org.springframework:spring-expression:jar:4.2.4.RELEASE:compile
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)