[
https://issues.apache.org/jira/browse/MNG-6141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16216635#comment-16216635
]
Joerg Schaible edited comment on MNG-6141 at 10/24/17 10:08 AM:
----------------------------------------------------------------
Extended example, where
* parent inherits maven-parent and manages junit,
* module-1 overrides plexus-component-annotations (managed by maven-parent) and
manages plexus-utils with a depMgmt section and
* a new module-3 (without a parent) using module-1.
{code:title=Module 1}
[DEBUG] localhost:module-1:jar:1.0-SNAPSHOT
[DEBUG] org.codehaus.plexus:plexus-component-annotations:jar:1.5.0:compile
[DEBUG] junit:junit:jar:3.8.1:compile (version managed from 3.8.2 by
localhost:parent:1.0-SNAPSHOT)
[DEBUG] org.apache.maven:maven-plugin-api:jar:3.0:compile
[DEBUG] org.apache.maven:maven-model:jar:3.0:compile
[DEBUG] org.codehaus.plexus:plexus-utils:jar:2.0.7:compile (version
managed from 2.0.4 by localhost:module-1:1.0-SNAPSHOT)
[DEBUG] org.apache.maven:maven-artifact:jar:3.0:compile
[DEBUG] org.sonatype.sisu:sisu-inject-plexus:jar:1.4.2:compile
[DEBUG] org.codehaus.plexus:plexus-classworlds:jar:2.2.3:compile
[DEBUG] org.sonatype.sisu:sisu-inject-bean:jar:1.4.2:compile
[DEBUG] org.sonatype.sisu:sisu-guice:jar:noaop:2.1.7:compile
{code}
Module-3 obviously uses wrong plexus-utils and junit versions, but at least the
correct version of maven-plugin-api and plexus-component-annotations:
{code:title=Module 3}
[DEBUG] localhost:module-3:jar:1.0-SNAPSHOT
[DEBUG] localhost:module-1:jar:1.0-SNAPSHOT:compile
[DEBUG] org.codehaus.plexus:plexus-component-annotations:jar:1.5.0:compile
[DEBUG] junit:junit:jar:3.8.2:compile
[DEBUG] org.apache.maven:maven-plugin-api:jar:3.0:compile
[DEBUG] org.apache.maven:maven-model:jar:3.0:compile
[DEBUG] org.codehaus.plexus:plexus-utils:jar:2.0.4:compile
[DEBUG] org.apache.maven:maven-artifact:jar:3.0:compile
[DEBUG] org.sonatype.sisu:sisu-inject-plexus:jar:1.4.2:compile
[DEBUG] org.codehaus.plexus:plexus-classworlds:jar:2.2.3:compile
[DEBUG] org.sonatype.sisu:sisu-inject-bean:jar:1.4.2:compile
[DEBUG] org.sonatype.sisu:sisu-guice:jar:noaop:2.1.7:compile
{code}
Generated with Maven 3.3.9.
If I understand you proposal now correctly, you would like to forbid the local
overriding of maven-plugin-api, which is ignored for module-2, but respected
for module-3. OTOH module-3 exposes different problems, since the active
depMgmt sections of a dependency itself are not considered.
One use case, where I use a local overriding also actively, is for testing a
different version of a dependency. Existing unit test may reveal a different
behaviour.
was (Author: joehni):
Extended example, where
* parent inherits maven-parent and manages junit,
* module-1 overrides plexus-component-annotations (managed by maven-parent) and
manages plexus-utils with a depMgmt section and
* a new module-3 (without a parent) using module-1.
{code:title=Module 1}
[DEBUG] localhost:module-1:jar:1.0-SNAPSHOT
[DEBUG] org.codehaus.plexus:plexus-component-annotations:jar:1.5.0:compile
[DEBUG] junit:junit:jar:3.8.1:compile (version managed from 3.8.2 by
localhost:parent:1.0-SNAPSHOT)
[DEBUG] org.apache.maven:maven-plugin-api:jar:3.0:compile
[DEBUG] org.apache.maven:maven-model:jar:3.0:compile
[DEBUG] org.codehaus.plexus:plexus-utils:jar:2.0.7:compile (version
managed from 2.0.4 by localhost:module-1:1.0-SNAPSHOT)
[DEBUG] org.apache.maven:maven-artifact:jar:3.0:compile
[DEBUG] org.sonatype.sisu:sisu-inject-plexus:jar:1.4.2:compile
[DEBUG] org.codehaus.plexus:plexus-classworlds:jar:2.2.3:compile
[DEBUG] org.sonatype.sisu:sisu-inject-bean:jar:1.4.2:compile
[DEBUG] org.sonatype.sisu:sisu-guice:jar:noaop:2.1.7:compile
{code}
Module-3 obviously uses wrong plexus-utils and junit versions, but at least the
correct version of maven-plugin-api:
{code:title=Module 3}
[DEBUG] localhost:module-3:jar:1.0-SNAPSHOT
[DEBUG] localhost:module-1:jar:1.0-SNAPSHOT:compile
[DEBUG] org.codehaus.plexus:plexus-component-annotations:jar:1.5.0:compile
[DEBUG] junit:junit:jar:3.8.2:compile
[DEBUG] org.apache.maven:maven-plugin-api:jar:3.0:compile
[DEBUG] org.apache.maven:maven-model:jar:3.0:compile
[DEBUG] org.codehaus.plexus:plexus-utils:jar:2.0.4:compile
[DEBUG] org.apache.maven:maven-artifact:jar:3.0:compile
[DEBUG] org.sonatype.sisu:sisu-inject-plexus:jar:1.4.2:compile
[DEBUG] org.codehaus.plexus:plexus-classworlds:jar:2.2.3:compile
[DEBUG] org.sonatype.sisu:sisu-inject-bean:jar:1.4.2:compile
[DEBUG] org.sonatype.sisu:sisu-guice:jar:noaop:2.1.7:compile
{code}
Generated with Maven 3.3.9.
If I understand you proposal now correctly, you would like to forbid the local
overriding of maven-plugin-api, which is ignored for module-2, but respected
for module-3. OTOH module-3 exposes different problems, since the active
depMgmt sections of a dependency itself are not considered.
One use case, where I use a local overriding also actively, is for testing a
different version of a dependency. Existing unit test may reveal a different
behaviour.
> Dependency management overrides are not transitive and should be considered
> an anti-pattern.
> --------------------------------------------------------------------------------------------
>
> Key: MNG-6141
> URL: https://issues.apache.org/jira/browse/MNG-6141
> Project: Maven
> Issue Type: Bug
> Reporter: Christian Schulte
> Priority: Critical
> Attachments: MNG-6141-3.zip, MNG-6141.zip
>
>
> Overriding the dependency management in a module's {{<dependencies>}}
> section, the overridden value will not be preserved transitively. It makes no
> sense to be able to override the dependency management in a module if that is
> only effective in that module and nowhere else. Overriding the dependency
> management from inside a {{<dependencies>}} element should be considered an
> anti-pattern. Maven should provide a warning when it is used. During the
> development of Maven 3.4, there have been quite a few discussions on dev@
> about build issues which were all caused by overriding the dependency
> management that way without noticing this is not supported transitively.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
