[
https://issues.apache.org/jira/browse/MENFORCER-394?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17552854#comment-17552854
]
Matt Nelson commented on MENFORCER-394:
---------------------------------------
{quote}
in this issue and corresponding PR we add filtering for exclude provided scope
and optional artifacts.
{quote}
Does that include the scopes of transitives? or is it only the scope of
directly declared dependencies?
In the reproduction, the declared dependency is runtime scope, then all of its
provided transitives are being elevated to runtime scope for the context of the
convergence analysis.
{noformat}
Dependency convergence error for
org.robolectric:android-all:jar:12-robolectric-7732740:runtime paths to
dependency are:
+-io.mattnelson:menforcer394:pom:1.0-SNAPSHOT
+-dnsjava:dnsjava:jar:3.5.1:runtime
+-org.robolectric:android-all:jar:12-robolectric-7732740:runtime (scope is
being changed from provided to runtime)
and
+-io.mattnelson:menforcer394:pom:1.0-SNAPSHOT
+-io.fabric8:kubernetes-client:jar:5.12.2:runtime
+-com.squareup.okhttp3:okhttp:jar:3.12.12:runtime
+-org.robolectric:android-all:jar:10-robolectric-5803371:runtime (scope
is being changed from provided to runtime)
{noformat}
> DependencyConvergence in 3.0.0 fails on provided scoped dependencies
> --------------------------------------------------------------------
>
> Key: MENFORCER-394
> URL: https://issues.apache.org/jira/browse/MENFORCER-394
> Project: Maven Enforcer Plugin
> Issue Type: Bug
> Components: Standard Rules
> Affects Versions: 3.0.0
> Reporter: Joe Barnett
> Assignee: Sylwester Lachiewicz
> Priority: Major
> Fix For: 3.1.0
>
>
> In our project, using version 3.0.0-M3 of the maven-enforcer-plugin's
> DependencyConvergence rule passes. Using version 3.0.0 starts to show
> convergence errors where provided scope dependencies have different versions
> than compile scope dependencies, for example:
> {code:java}
> [WARNING]
> Dependency convergence error for
> org.javassist:javassist:jar:3.28.0-GA:compile paths to dependency are:
> +-com.trib3:testing:jar:1.25-dependabot-maven-org.apache.maven.plugins-maven-enforcer-plugin-3.0.0-SNAPSHOT
> +-io.dropwizard:dropwizard-auth:jar:2.0.23:compile
> +-io.dropwizard:dropwizard-jersey:jar:2.0.23:compile
> +-org.javassist:javassist:jar:3.28.0-GA:compile
> and
> +-com.trib3:testing:jar:1.25-dependabot-maven-org.apache.maven.plugins-maven-enforcer-plugin-3.0.0-SNAPSHOT
> +-io.dropwizard:dropwizard-testing:jar:2.0.23:compile
> +-org.hibernate:hibernate-core:jar:5.5.2.Final:provided
> +-org.javassist:javassist:jar:3.27.0-GA:provided
> {code}
> Is this an intended breaking change? I don't see anything in the release
> announcement that points obviously to a change here. Seems like the provided
> version shouldn't matter as it doesn't get shipped with the artifact?
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
