[
https://issues.apache.org/jira/browse/MENFORCER-316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17386736#comment-17386736
]
Chris Povirk commented on MENFORCER-316:
----------------------------------------
Thanks. Should I open a bug about {{dependency:build-classpath}}, then, for
claiming that the version on the classpath is 2.1.0? (I haven't checked what's
actually used at runtime by various plugins.)
{code:java}
$ /tmp/tmp.jbREFTvP8B/apache-maven-3.8.1/bin/mvn clean install
dependency:build-classpath | perl -ne 'print if /Building extension/ ... 0' |
grep -o 'checker-compat-qual-[^:]*'
checker-compat-qual-2.1.0.jar
{code}
> requireUpperBoundDeps sometimes still ineffective when dependencyManagement
> is used
> -----------------------------------------------------------------------------------
>
> Key: MENFORCER-316
> URL: https://issues.apache.org/jira/browse/MENFORCER-316
> Project: Maven Enforcer Plugin
> Issue Type: Bug
> Affects Versions: 3.0.0-M2
> Reporter: Chris Povirk
> Assignee: Robert Scholte
> Priority: Major
> Attachments: menforcerbug.tar
>
>
> This sounds similar to
> [MENFORCER-146|https://issues.apache.org/jira/browse/MENFORCER-146], but that
> was fixed long ago.
> Attached is a multi-module project whose:
> * `core` module depends on checker-compat-qual 2.5.3
> * `core` module depends on guava 25.1-android, which
> [depends|https://repo1.maven.org/maven2/com/google/guava/guava/25.1-android/guava-25.1-android.pom]
>
> [on|https://repo1.maven.org/maven2/com/google/guava/guava-parent/25.1-android/guava-parent-25.1-android.pom]
> checker-compat-qual 2.0.0
> * `extension` module depends on the `core` module and checker-compat-qual
> 2.1.0
> That's 3 different versions of checker-compat-qual in the dependency graph of
> `extension`. As expected, `extension` chooses the nearest version, 2.1.0:
> {noformat}
> $ rm -rf ~/.m2/repository/com/google/menforcer/ &&
> /tmp/tmp.Q0KJ1iotaP/apache-maven-3.5.4/bin/mvn clean install
> dependency:build-classpath | perl -ne 'print if /Building extension/ ... 0' |
> grep -o 'checker-compat-qual-[^:]*'
> checker-compat-qual-2.1.0.jar
> {noformat}
> This is not the newest version, though, so I would expect the configured
> `requireUpperBoundDeps` check to fail. Yet it succeeds, unable to detect the
> problem.
> Interestingly, it is able to detect the problem if I remove the
> dependencyManagement section from the parent pom.
> Also interestingly, it is also able to detect the problem if I update the
> guava dependency to version 26.0-android, which [depends
> on|https://repo1.maven.org/maven2/com/google/guava/guava-parent/26.0-android/guava-parent-26.0-android.pom]
> checker-compat-qual 2.5.3.
> So it seems like the enforcer is confused by a combination of (a) a
> dependencyManagement section and (b) a transitive dependency on an even older
> version of the non-upper-bounded library.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
