[jira] [Commented] (MRESOLVER-614) Collector applies depMgt entries coming from a self onto itself

Thu, 24 Oct 2024 09:28:06 -0700 


    [ 
https://issues.apache.org/jira/browse/MRESOLVER-614?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17892546#comment-17892546
 ] 

Tamas Cservenak commented on MRESOLVER-614:
-------------------------------------------

So here is a reproducer:
https://github.com/cstamas/MRESOLVER-614

Notice how 3.9.9 claims level3 is 1.0.0, while 4.0.0-beta-5 says is 1.0.1 -- 
wrongly. As there is this:
https://github.com/cstamas/MRESOLVER-614/blob/main/local-repo/org/apache/maven/it/mresolver614/level2/1.0.0/level2-1.0.0.pom

So what happens is that level2 depMgt overrides its own dep definitions. 
Basically "in parent" does not matter, just like I assumed.

> Collector applies depMgt entries coming from a self onto itself
> ---------------------------------------------------------------
>
>                 Key: MRESOLVER-614
>                 URL: https://issues.apache.org/jira/browse/MRESOLVER-614
>             Project: Maven Resolver
>          Issue Type: Bug
>          Components: Resolver
>    Affects Versions: 2.0.2
>            Reporter: Tamas Cservenak
>            Assignee: Tamas Cservenak
>            Priority: Major
>             Fix For: 2.0.3
>
>
> In Maven3 this was not a problem, as Maven3 could add depMgt only on "root 
> level".
> In Maven4 with use of new/old transitive Dependency Managers this became a 
> problem. The dependency manager first receives depMgt entries for currently 
> processed node, and then applies it onto same entry, overriding direct 
> dependency versions.
> Example with Maven beta-5: it cannot build Resolver master 
> (88a96ac0606d4d2372452a677d9f93c0b55105a4) as bnd-maven-plugin do depend on 
> plexus-utils via path of {{bnd-maven-plugin > build-api > plexus-utils}} as 
> it explodes due lack of org.plexus.utils.Scanner on classpath. This class was 
> introduced in plexus-utils 1.5.8, and build-api do depend on it. But alas, 
> build-api parent contains depMgt entry for plexus-utils 1.5.5 and is applied 
> onto build-api overriding it's own dependency version.
> Basically current resolver code is NOT prepared for any "transitive 
> dependency management" (despite DependencyManagers are there) as node would 
> apply it's own depManagement rules onto itself.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to