Dave Wichers created MPIR-430:
---------------------------------
Summary: Dependency Convergence calculation should ignore
'provided' direct and transitive dependencies
Key: MPIR-430
URL: https://issues.apache.org/jira/browse/MPIR-430
Project: Maven Project Info Reports Plugin
Issue Type: Bug
Components: dependency-convergence
Affects Versions: 3.4.2
Reporter: Dave Wichers
If a direct or transitive dependency is 'provided', then excluding it has no
affect I believe. As an example, this other Apache project:
[https://maven.apache.org/enforcer/enforcer-rules/dependencyConvergence.html] -
when it calculates enforcement of dependency convergence, it already ignores
'provided' dependencies. I have a project I'm supporting called ESAPI, and if
you look at its pom here:
[https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#L165,] you'll
see this pom excludes a dependency for the 'provided' dependency
javax.servlet.jsp-api. The project does this to get 100% convergence for the
MPIR convergence report even though 'excluding' this transitive dependency has
no actual affect.
When I drop this exclusion, the 100% convergence requirement enforced by the
maven enforcer plugin per:
[https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#570] still
passes.
There is also a 'provided' transitive dependency of a real dependency here that
we have to exclude:
[https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#189] (the
xml-api exclusion).
These two exclusions are really unnecessary.
Can you enhance the dependency convergence calculations of the MPIR plugin to
ignore all direct or transitive 'provided' dependencies to match the behavior
of the Maven Enforcer Plugin?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
