[jira] [Commented] (MNG-5761) Dependency management is not transitive.

Tue, 02 Feb 2021 02:06:07 -0800 


    [ 
https://issues.apache.org/jira/browse/MNG-5761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17277004#comment-17277004
 ] 

Marc Carter commented on MNG-5761:
----------------------------------

Finally realised why I see so many poms with more {{<exclusions>}} than 
{{<dependencies>}}. This is counter-intuitive and breaks basic encapsulation 
principles. 

To be clear, just in case it's lost in the above noise, my understanding here 
is not that _all_ of {{project_A}}'s managed-dependencies should appear in 
{{project_C}} (BOM-style). Only {{project_A}}'s _effective_ 
managed-dependencies should appear transitively - those that changed A's 
_effective pom_. 

I do see that this might be difficult to capture without publishing a generated 
pom where those are instantiated as actual <dependencies> (sort of how 
non-Maven tools publish into Maven repos by building a minimal "runtime pom").

> Dependency management is not transitive.
> ----------------------------------------
>
>                 Key: MNG-5761
>                 URL: https://issues.apache.org/jira/browse/MNG-5761
>             Project: Maven
>          Issue Type: Bug
>          Components: Dependencies
>    Affects Versions: 3.2.5
>            Reporter: Jeff Schnitzer
>            Priority: Critical
>             Fix For: 4.0.x-candidate
>
>         Attachments: MNG-5761.zip
>
>
> A detailed description of the issue is here:
> http://stackoverflow.com/questions/28312975/maven-dependencymanagement-version-ignored-in-transitive-dependencies
> The short of it is that maven appears to be using the wrong 
> <dependencyManagement> version in a transitive dependency.  There are two 
> relevant <dependencyManagement> sections in the build, one pulled in by guice 
> and one pulled in by gwizard-parent. These are the dependency paths from the 
> top:
> gwizard-example -> gwizard-config -> gwizard-parent
> gwizard-example -> gwizard-config -> guice -> guice-parent
> gwizard-parent's dependencyManagement specifies guava 18
> guice-parent's dependencyManagement specifies guava 16
> Guava 16 is winning. This seems highly undesirable, and in fact it breaks our 
> build. I would expect that in a version # fight, "closest to the top" should 
> win.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to