[jira] [Commented] (MNG-5761) Dependency management is not transitive.

Mon, 12 Apr 2021 14:01:15 -0700 


    [ 
https://issues.apache.org/jira/browse/MNG-5761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17319717#comment-17319717
 ] 

Marc commented on MNG-5761:
---------------------------

I think I am facing the issue as well through BOMs. I have a project with a 
parent that <imports> Spring Boot Dependencies, defining latest junit 
dependency, and then I importedĀ com.github.cloudyrock.mongock, which contains a 
parent with a <dependencyManagement> version of an older JUnit dependency and 
according to help:effective-pom -DverboseĀ its resolving the later.

I personally think this is absolutely impacting on current development. As soon 
as any Spring Boot project declares a dependency which uses 
dependencyManagement/BOM internally, we are going to loose track of Boot BOMs 
and cause incompatibilities very easy.

It's very counterintiuitive that any dependency can override the versioning 
coming from parent projects.

> Dependency management is not transitive.
> ----------------------------------------
>
>                 Key: MNG-5761
>                 URL: https://issues.apache.org/jira/browse/MNG-5761
>             Project: Maven
>          Issue Type: Bug
>          Components: Dependencies
>    Affects Versions: 3.2.5
>            Reporter: Jeff Schnitzer
>            Priority: Critical
>             Fix For: 4.0.x-candidate
>
>         Attachments: MNG-5761.zip
>
>
> A detailed description of the issue is here:
> http://stackoverflow.com/questions/28312975/maven-dependencymanagement-version-ignored-in-transitive-dependencies
> The short of it is that maven appears to be using the wrong 
> <dependencyManagement> version in a transitive dependency.  There are two 
> relevant <dependencyManagement> sections in the build, one pulled in by guice 
> and one pulled in by gwizard-parent. These are the dependency paths from the 
> top:
> gwizard-example -> gwizard-config -> gwizard-parent
> gwizard-example -> gwizard-config -> guice -> guice-parent
> gwizard-parent's dependencyManagement specifies guava 18
> guice-parent's dependencyManagement specifies guava 16
> Guava 16 is winning. This seems highly undesirable, and in fact it breaks our 
> build. I would expect that in a version # fight, "closest to the top" should 
> win.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to