[
https://issues.apache.org/jira/browse/MNG-5988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17414579#comment-17414579
]
Shannon Carey commented on MNG-5988:
------------------------------------
Btw I see this happening still in 3.6.3.
{quote}is the bug that Maven is not doing what it claims to do
{quote}
Probably not, but I would argue that Maven's document is not very clear about
what it claims. It does explain how version conflicts are resolved, but it also
explains how transitive scope resolution works. And specifically, it says that
if you have a test-scope dependency, the transitive compile-scope dependencies
will be test-scope. That implies that you wouldn't see a test dependency
impacting the compile/runtime classpath as this Jira reports is happening. But,
it's not super clear because the documentation doesn't explain how those
interact.
IMO, an alteration to the test-scope dependencies should have zero impact on
the production (runtime) classpath. It's counterintuitive and creates risk.
{quote}There are multiple solutions to this. The easiest is to just move the
dependency in question up in the hierarchy so that it gets selected.
{quote}
You're right that there are workarounds:
* create an explicit top-level dependency
* use dependency management
* add an <exclusion> to the test dependency (yuck)
However, those workarounds assume some unfriendly things, even from someone
like myself who has been using Maven a long time:
# You've noticed the problem in the first place
# You have to figure out that this is the cause of the problem, which IMO is a
bit mysterious/unexpected
# Every time someone updates a dependency, they have to remember to go through
and copy the transitive dependency versions up to the top-level POM
# Every time someone updates a dependency, they have to remember to go through
the transitive dependencies to figure out whether any should be removed from
the top-level POM
# Every time someone updates a dependency, you may get a sudden mysterious
compilation failure because your <exclusion> now makes the needed library
completely omitted
> Dependency mediation should prioritize transitive dependencies based on scope.
> ------------------------------------------------------------------------------
>
> Key: MNG-5988
> URL: https://issues.apache.org/jira/browse/MNG-5988
> Project: Maven
> Issue Type: Bug
> Components: Dependencies
> Affects Versions: 3.2.3
> Reporter: Jostein Gogstad
> Priority: Critical
> Fix For: needing-scrub-3.4.0-fallout
>
> Attachments: Collected.svg, MNG-5988.zip, PRE.svg, Resolved.svg
>
>
> The
> [documentation|https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html]
> states that dependency mediation only supports "nearest definition",
> regardless of the scope of the parent dependency.
> If both compile- and test scoped dependencies shares the same transitive
> dependency, the test-scoped one will win if it has shallower depth. That in
> turn will lead to runtime exceptions since the transitive dependency is no
> longer on the classpath.
> Take the following pom from a typical [Spring
> Boot|http://projects.spring.io/spring-boot/] application. Since the
> {{camel-test-spring}} dependency also depends on spring, it wins and Spring
> is no longer available to the application at runtime.
> {code:xml}
> <project xmlns="http://maven.apache.org/POM/4.0.0";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
> http://maven.apache.org/maven-v4_0_0.xsd";>
> <modelVersion>4.0.0</modelVersion>
> <groupId>com.example</groupId>
> <artifactId>bugreport</artifactId>
> <packaging>jar</packaging>
> <version>1.0.0-SNAPSHOT</version>
> <dependencies>
> <dependency>
> <groupId>org.springframework.boot</groupId>
> <artifactId>spring-boot-starter-web</artifactId>
> <version>1.3.2.RELEASE</version>
> </dependency>
> <dependency>
> <groupId>org.apache.camel</groupId>
> <artifactId>camel-test-spring</artifactId>
> <version>2.16.2</version>
> <scope>test</scope>
> </dependency>
> </dependencies>
> </project>
> {code}
> Now look for {{spring-beans}} or {{spring-context}} in the following
> dependency graphs:
> {code:xml|title=mvn dependency:tree (with camel-test-spring)}
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ bugreport ---
> [INFO] com.example:bugreport:jar:1.0.0-SNAPSHOT
> [INFO] +-
> org.springframework.boot:spring-boot-starter-web:jar:1.3.2.RELEASE:compile
> [INFO] | +-
> org.springframework.boot:spring-boot-starter:jar:1.3.2.RELEASE:compile
> [INFO] | | +- org.springframework.boot:spring-boot:jar:1.3.2.RELEASE:compile
> [INFO] | | +-
> org.springframework.boot:spring-boot-autoconfigure:jar:1.3.2.RELEASE:compile
> [INFO] | | +-
> org.springframework.boot:spring-boot-starter-logging:jar:1.3.2.RELEASE:compile
> [INFO] | | | +- ch.qos.logback:logback-classic:jar:1.1.3:compile
> [INFO] | | | | \- ch.qos.logback:logback-core:jar:1.1.3:compile
> [INFO] | | | +- org.slf4j:jcl-over-slf4j:jar:1.7.13:compile
> [INFO] | | | +- org.slf4j:jul-to-slf4j:jar:1.7.13:compile
> [INFO] | | | \- org.slf4j:log4j-over-slf4j:jar:1.7.13:compile
> [INFO] | | \- org.yaml:snakeyaml:jar:1.16:runtime
> [INFO] | +-
> org.springframework.boot:spring-boot-starter-tomcat:jar:1.3.2.RELEASE:compile
> [INFO] | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.0.30:compile
> [INFO] | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.0.30:compile
> [INFO] | | +-
> org.apache.tomcat.embed:tomcat-embed-logging-juli:jar:8.0.30:compile
> [INFO] | | \-
> org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.0.30:compile
> [INFO] | +-
> org.springframework.boot:spring-boot-starter-validation:jar:1.3.2.RELEASE:compile
> [INFO] | | \- org.hibernate:hibernate-validator:jar:5.2.2.Final:compile
> [INFO] | | +- javax.validation:validation-api:jar:1.1.0.Final:compile
> [INFO] | | +- org.jboss.logging:jboss-logging:jar:3.2.1.Final:compile
> [INFO] | | \- com.fasterxml:classmate:jar:1.1.0:compile
> [INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.6.5:compile
> [INFO] | | +-
> com.fasterxml.jackson.core:jackson-annotations:jar:2.6.0:compile
> [INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.6.5:compile
> [INFO] | +- org.springframework:spring-web:jar:4.2.4.RELEASE:compile
> [INFO] | \- org.springframework:spring-webmvc:jar:4.2.4.RELEASE:compile
> [INFO] \- org.apache.camel:camel-test-spring:jar:2.16.2:test
> [INFO] +- org.apache.camel:camel-test:jar:2.16.2:test
> [INFO] | +- org.apache.camel:camel-core:jar:2.16.2:test
> [INFO] | | \- org.slf4j:slf4j-api:jar:1.6.6:compile
> [INFO] | \- junit:junit:jar:4.11:test
> [INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test
> [INFO] +- org.apache.camel:camel-spring:jar:2.16.2:test
> [INFO] +- org.springframework:spring-test:jar:4.1.9.RELEASE:test
> [INFO] +- org.springframework:spring-context:jar:4.1.9.RELEASE:compile
> [INFO] +- org.springframework:spring-beans:jar:4.1.9.RELEASE:compile
> [INFO] +- org.springframework:spring-expression:jar:4.1.9.RELEASE:compile
> [INFO] +- org.springframework:spring-aop:jar:4.1.9.RELEASE:compile
> [INFO] | \- aopalliance:aopalliance:jar:1.0:compile
> [INFO] +- org.springframework:spring-tx:jar:4.1.9.RELEASE:test
> [INFO] +- org.springframework:spring-core:jar:4.1.9.RELEASE:compile
> [INFO] | \- commons-logging:commons-logging:jar:1.2:compile
> [INFO] +- com.sun.xml.bind:jaxb-core:jar:2.2.11:test
> [INFO] \- com.sun.xml.bind:jaxb-impl:jar:2.2.11:test
> {code}
> {code:xml|title=mvn dependency:tree (without camel-test-spring)}
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ bugreport ---
> [INFO] com.example:bugreport:jar:1.0.0-SNAPSHOT
> [INFO] \-
> org.springframework.boot:spring-boot-starter-web:jar:1.3.2.RELEASE:compile
> [INFO] +-
> org.springframework.boot:spring-boot-starter:jar:1.3.2.RELEASE:compile
> [INFO] | +- org.springframework.boot:spring-boot:jar:1.3.2.RELEASE:compile
> [INFO] | +-
> org.springframework.boot:spring-boot-autoconfigure:jar:1.3.2.RELEASE:compile
> [INFO] | +-
> org.springframework.boot:spring-boot-starter-logging:jar:1.3.2.RELEASE:compile
> [INFO] | | +- ch.qos.logback:logback-classic:jar:1.1.3:compile
> [INFO] | | | +- ch.qos.logback:logback-core:jar:1.1.3:compile
> [INFO] | | | \- org.slf4j:slf4j-api:jar:1.7.7:compile
> [INFO] | | +- org.slf4j:jcl-over-slf4j:jar:1.7.13:compile
> [INFO] | | +- org.slf4j:jul-to-slf4j:jar:1.7.13:compile
> [INFO] | | \- org.slf4j:log4j-over-slf4j:jar:1.7.13:compile
> [INFO] | +- org.springframework:spring-core:jar:4.2.4.RELEASE:compile
> [INFO] | \- org.yaml:snakeyaml:jar:1.16:runtime
> [INFO] +-
> org.springframework.boot:spring-boot-starter-tomcat:jar:1.3.2.RELEASE:compile
> [INFO] | +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.0.30:compile
> [INFO] | +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.0.30:compile
> [INFO] | +-
> org.apache.tomcat.embed:tomcat-embed-logging-juli:jar:8.0.30:compile
> [INFO] | \-
> org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.0.30:compile
> [INFO] +-
> org.springframework.boot:spring-boot-starter-validation:jar:1.3.2.RELEASE:compile
> [INFO] | \- org.hibernate:hibernate-validator:jar:5.2.2.Final:compile
> [INFO] | +- javax.validation:validation-api:jar:1.1.0.Final:compile
> [INFO] | +- org.jboss.logging:jboss-logging:jar:3.2.1.Final:compile
> [INFO] | \- com.fasterxml:classmate:jar:1.1.0:compile
> [INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.6.5:compile
> [INFO] | +-
> com.fasterxml.jackson.core:jackson-annotations:jar:2.6.0:compile
> [INFO] | \- com.fasterxml.jackson.core:jackson-core:jar:2.6.5:compile
> [INFO] +- org.springframework:spring-web:jar:4.2.4.RELEASE:compile
> [INFO] | +- org.springframework:spring-aop:jar:4.2.4.RELEASE:compile
> [INFO] | | \- aopalliance:aopalliance:jar:1.0:compile
> [INFO] | +- org.springframework:spring-beans:jar:4.2.4.RELEASE:compile
> [INFO] | \- org.springframework:spring-context:jar:4.2.4.RELEASE:compile
> [INFO] \- org.springframework:spring-webmvc:jar:4.2.4.RELEASE:compile
> [INFO] \-
> org.springframework:spring-expression:jar:4.2.4.RELEASE:compile
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
