[
https://issues.apache.org/jira/browse/MNG-8132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17869212#comment-17869212
]
Lenny Primak commented on MNG-8132:
-----------------------------------
Hey, I just got bit by this in yet another project.
Any progress yet? Pretty please?
Thank you!
> Dependency-management "client" exclusions overwrite BOM exclusions
> ------------------------------------------------------------------
>
> Key: MNG-8132
> URL: https://issues.apache.org/jira/browse/MNG-8132
> Project: Maven
> Issue Type: Bug
> Components: Bootstrap & Build
> Affects Versions: 4.0.0-alpha-13, 4.0.0-beta-3
> Environment: Any
> Reporter: Lenny Primak
> Assignee: Guillaume Nodet
> Priority: Major
> Fix For: 4.0.0
>
>
> Continuation of https://issues.apache.org/jira/browse/MNG-8118
> When importing BOM and introducing exclusions, they overwrite exclusions
> already present in the BOM. They should not
> Slack conversation link:
> [https://the-asf.slack.com/archives/C7Q9JB404/p1714938396499939]
> Regressed by https://issues.apache.org/jira/browse/MNG-5600
> Reproducer project: [https://github.com/flowlogix/bom-exclusions-mvn4]
> Offending / reproducing key lines of pom. Shiro BOM excludes non-Jakarta
> classifier reference to Shrio-core amongst other things:
> {code:java}
> <dependencyManagement>
> <dependencies>
> <dependency>
> <groupId>org.apache.shiro</groupId>
> <artifactId>shiro-bom</artifactId>
> <version>2.0.0</version>
> <type>pom</type>
> <scope>import</scope>
> <exclusions>
> <!-- **** Inserting below exclusion triggers the failure-->
> <exclusion>
> <groupId>org.slf4j</groupId>
> <artifactId>*</artifactId>
> </exclusion>
> </exclusions>
> </dependency>
> </dependencies>
> </dependencyManagement> {code}
> Expected result (maven 3.9.7) only one shiro-core.jar dependency with
> _jakarta_ classifier is present:
> {code:java}
> lprimak@Lennys-MacBook-Pro bom-exclusions-mvn4 % mvn -V dependency:tree
> Apache Maven 3.9.7 (8b094c9513efc1b9ce2d952b3b9c8eaedaf8cbf0)
> Maven home: /Users/lprimak/.sdkman/candidates/maven/3.9.7
> Java version: 22.0.1, vendor: Azul Systems, Inc., runtime:
> /Users/lprimak/.sdkman/candidates/java/22.0.1.fx-zulu/zulu-22.jdk/Contents/Home
> Default locale: en_US, platform encoding: UTF-8
> OS name: "mac os x", version: "12.7.5", arch: "x86_64", family: "mac"
> [INFO] Scanning for projects...
> [INFO]
> [INFO] -----------< com.flowlogix.repdoducers:bom-exclusions-mvn4 >-----------
> [INFO] Building bom-exclusions-mvn4 1.x-SNAPSHOT
> [INFO] from pom.xml
> [INFO] --------------------------------[ pom ]--------------------------------
> [INFO]
> [INFO] --- dependency:3.6.1:tree (default-cli) @ bom-exclusions-mvn4 ---
> [INFO] com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:1.x-SNAPSHOT
> [INFO] +- org.apache.shiro:shiro-web:jar:jakarta:2.0.0:compile
> [INFO] | \- org.owasp.encoder:encoder:jar:1.2.3:compile
> [INFO] \- org.apache.shiro:shiro-core:jar:jakarta:2.0.0:compile
> ..... cut unnecessary lines
> [INFO]
> ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Total time: 1.630 s
> [INFO] Finished at: 2024-05-28T22:44:57-04:00
> [INFO]
> ----------------------------------------------------------------------- {code}
>
> Current result (maven 4.0.0-alpha-3): both shiro-core with and without
> jakarta classifier exist:
> {code:java}
> lprimak@Lennys-MacBook-Pro bom-exclusions-mvn4 % mvn -V dependency:tree
> Apache Maven 4.0.0-beta-3 (e92f645c2749eb2a4f5a8843cf01e7441e4b559f)
> Maven home: /Users/lprimak/.sdkman/candidates/maven/4.0.0-beta-3
> Java version: 22.0.1, vendor: Azul Systems, Inc., runtime:
> /Users/lprimak/.sdkman/candidates/java/22.0.1.fx-zulu/zulu-22.jdk/Contents/Home
> Default locale: en_US, platform encoding: UTF-8
> OS name: "mac os x", version: "12.7.5", arch: "x86_64", family: "mac"
> [INFO] Scanning for projects...
> [INFO]
> [INFO] ------------------------------------<
> com.flowlogix.repdoducers:bom-exclusions-mvn4
> >------------------------------------
> [INFO] Building bom-exclusions-mvn4 1.x-SNAPSHOT
> [INFO] from pom.xml
> [INFO] ---------------------------------------------------------[ pom
> ]---------------------------------------------------------
> [INFO]
> [INFO] --- dependency:3.6.1:tree (default-cli) @ bom-exclusions-mvn4 ---
> [INFO] com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:1.x-SNAPSHOT
> [INFO] +- org.apache.shiro:shiro-web:jar:jakarta:2.0.0:compile
> *** below should not exist - non-jakarta classifier
> [INFO] | +- org.apache.shiro:shiro-core:jar:2.0.0:compile
> [INFO] | \- org.owasp.encoder:encoder:jar:1.2.3:compile
> *** below is the correct reference to shiro-core
> [INFO] \- org.apache.shiro:shiro-core:jar:jakarta:2.0.0:compile
> ..... cut unnecessary lines
> [INFO] Copying com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:1.x-SNAPSHOT
> to project local repository
> [INFO] Copying
> com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:consumer:1.x-SNAPSHOT to
> project local repository
> [INFO]
> -------------------------------------------------------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO]
> -------------------------------------------------------------------------------------------------------------------------
> [INFO] Total time: 2.589 s
> [INFO] Finished at: 2024-05-28T22:49:26-04:00
> [INFO]
> -------------------------------------------------------------------------------------------------------------------------
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
