[
https://issues.apache.org/jira/browse/MNG-7906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17812527#comment-17812527
]
Henning Schmiedehausen commented on MNG-7906:
---------------------------------------------
[~cstamas] pinged me on [https://github.com/basepom/maven-plugins/issues/10]
FWIW, I am very much with [~elharo]. The current behavior exists for close to
20 years and changing it would break large parts of the ecosystem.
Frankly, the fact that there are multiple ways to do dep resolution over the
years, the ever-changing nature of the maven resolver and the complicated and
under-documented way to access repositories make it hard for maven users to get
this right and near impossible for plugin writers to builds something that
matches the core behavior.
"effective pom" is not a debugging tool for the faint of heart. running it on a
major project makes it near impossible to understand its output.
If you want a tool that actually works for humans, try
[https://github.com/basepom/dependency-versions-check-maven-plugin]
It produces output like this:
{{[INFO] All dependencies for 'compile' scope:}}
{{[INFO] com.fasterxml.jackson.core:jackson-annotations: compile 2.13.4
(2.10.3)}}
{{[INFO] com.github.docker-java:docker-java-api: compile 3.2.13}}
{{[INFO] com.github.docker-java:docker-java-transport: compile 3.2.13}}
{{[INFO] com.github.docker-java:docker-java-transport-zerodep: compile 3.2.13}}
{{[INFO] com.google.code.findbugs:jsr305: compile 1.3.9}}
{{[INFO] junit:junit: compile 4.13.2}}
{{[INFO] net.bytebuddy:byte-buddy: compile 1.10.14 (!1.12.10!)}}
{{[INFO] net.java.dev.jna:jna: compile 5.8.0}}
{{[INFO] org.apache.commons:commons-compress: compile 1.21}}
{{[INFO] org.apache.flink:flink-shaded-force-shading: compile 16.2}}
{{[INFO] org.apache.logging.log4j:log4j-api: compile 2.17.1}}
{{[INFO] org.apache.logging.log4j:log4j-core: compile 2.17.1}}
{{[INFO] org.apache.logging.log4j:log4j-slf4j-impl: compile 2.17.1}}
{{[INFO] org.apiguardian:apiguardian-api: compile 1.1.2}}
{{[INFO] org.assertj:assertj-core: compile 3.23.1}}
{{[INFO] org.jetbrains:annotations: compile 17.0.0}}
{{[INFO] org.junit.jupiter:junit-jupiter: compile 5.9.1}}
{{[INFO] org.junit.jupiter:junit-jupiter-api: compile 5.9.1}}
{{[INFO] org.junit.jupiter:junit-jupiter-params: compile 5.9.1}}
{{[INFO] org.junit.platform:junit-platform-commons: compile 1.9.1 (1.8.2)}}
{{[INFO] org.junit.platform:junit-platform-engine: compile 1.9.1}}
{{[INFO] org.junit.vintage:junit-vintage-engine: compile 5.9.1}}
{{[INFO] org.opentest4j:opentest4j: compile 1.2.0}}
{{[INFO] org.rnorth.duct-tape:duct-tape: compile 1.0.8}}
{{[INFO] org.slf4j:slf4j-api: compile 1.7.36 (1.7.25, 1.7.35)}}
{{[INFO] org.testcontainers:testcontainers: compile 1.17.2}}
which users can actually use to figure out what is wrong with their build. It
does approximate what the resolver does (and there is no way for me to actually
validate that it matches the core behavior).
> Dependency Management import does not work the "maven way"
> ----------------------------------------------------------
>
> Key: MNG-7906
> URL: https://issues.apache.org/jira/browse/MNG-7906
> Project: Maven
> Issue Type: Bug
> Components: Dependencies, Documentation: General
> Reporter: Tamas Cservenak
> Priority: Major
> Fix For: 4.0.x-candidate
>
>
> This affects all released Maven versions so far.
> Problem reproducer: https://github.com/cstamas/MNG-7852 (repo name is wrong,
> obviously).
> In short: unlike with dependencies, where you CAN override some "deep
> transitive" dependency by re-declaring it directly as 1st level dependency in
> POM, for depMgt import this does not work, actually, it works quite the
> opposite ("first comes, wins"). Moreover, Maven remains silent about this, as
> reproducer shows, and all of this goes unnoticed.
> Solution: at least depMgt import should make "the maven way", maybe not by
> default (to not break existing builds) but configurable. Problem is solved if
> in reproducer:
> - with fix enabled, junit 5.9.3 is used, AND
> - with fix disabled, Maven yells about ignored depMgt import
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
