[
https://issues.apache.org/jira/browse/TIKA-3934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17636242#comment-17636242
]
Konstantin Gribov edited comment on TIKA-3934 at 11/19/22 10:31 PM:
--------------------------------------------------------------------
It seems that it doesn't if the dependency isn't used in the tika artifact in
any way (including test dependencies).
If I have import for {{org.apache.tika:tika-bom}} and add
{{org.apache.tika:tika-core}} and {{io.netty:netty-buffer}} without versions
both Maven and Gradle build will fail.
On the other hand {{log4j-core}} version (and version constraint in Gradle
case) leaks from {{tika-parent}} via {{tika-bom}}. Inconsistently in Maven case.
||Type||Use BOM||tika-core||log4j-core||Result||
|Maven|yes|-|-|log4j-api 2.19.0, log4j-core 2.19.0|
|Maven|yes|-|2.18.0|log4j-api 2.19.0, log4j-core 2.18.0|
|Maven|no|2.6.0|2.18.0|log4j-api 2.18.0, log4j-core 2.18.0|
|Gradle|yes|-|-|log4j-api 2.19.0, log4j-core 2.19.0|
|Gradle|yes|-|2.18.0|log4j-api 2.19.0, log4j-core 2.19.0|
|Gradle|no|2.6.0|2.18.0|log4j-api 2.18.0, log4j-core 2.18.0|
Test Maven project (run {{mvn package}} to see actual dependencies in the
output):
{code:xml|title=pom.xml}
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/xsd/maven-4.0.0.xsd";>
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>bom-test</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.tika</groupId>
<artifactId>tika-bom</artifactId>
<version>2.6.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.tika</groupId>
<artifactId>tika-core</artifactId>
<!--<version>2.6.0</version>-->
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<!--<version>2.18.0</version>-->
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>3.3.0</version>
<executions>
<execution>
<id>test</id>
<phase>package</phase>
<goals>
<goal>copy-dependencies</goal>
</goals>
<configuration>
<outputDirectory>${project.build.directory}/deps</outputDirectory>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
{code}
Gradle test project (run {{gradle dependencyInsight --dependency log4j}} or
{{gradle dependencies --configuration rC}}):
{code:groovy|title=settings.gradle.kts}
dependencyResolutionManagement {
repositories.mavenCentral()
}
{code}
{code:groovy|title=build.gradle.kts}
plugins {
id("java-library")
}
dependencies {
api(platform("org.apache.tika:tika-bom:2.6.0"))
api("org.apache.tika:tika-core")
implementation("org.apache.logging.log4j:log4j-core:2.18.0")
}
{code}
was (Author: grossws):
It seems that it doesn't, if I have import for {{org.apache.tika:tika-bom}} and
add {{org.apache.tika:tika-core}} and {{io.netty:netty-buffer}} without
versions both Maven and Gradle build will fail.
On the other hand {{log4j-core}} version (and version constraint in Gradle
case) leaks from {{tika-parent}} via {{tika-bom}}.
||Type||Use BOM||tika-core||log4j-core||Result||
|Maven|yes|-|-|log4j-api 2.19.0, log4j-core 2.19.0|
|Maven|yes|-|2.18.0|log4j-api 2.19.0, log4j-core 2.18.0|
|Maven|no|2.6.0.|2.18.0|log4j-api 2.18.0, log4j-core 2.18.0|
|Gradle|yes|-|-|log4j-api 2.19.0, log4j-core 2.19.0|
|Gradle|yes|-|2.18.0|log4j-api 2.19.0, log4j-core 2.19.0|
|Gradle|no|2.6.0|2.18.0|log4j-api 2.18.0, log4j-core 2.18.0|
Test Maven project (run {{mvn package}} to see actual dependencies in the
output):
{code:xml|title=pom.xml}
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/xsd/maven-4.0.0.xsd";>
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>bom-test</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.tika</groupId>
<artifactId>tika-bom</artifactId>
<version>2.6.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.tika</groupId>
<artifactId>tika-core</artifactId>
<!--<version>2.6.0</version>-->
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<!--<version>2.18.0</version>-->
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>3.3.0</version>
<executions>
<execution>
<id>test</id>
<phase>package</phase>
<goals>
<goal>copy-dependencies</goal>
</goals>
<configuration>
<outputDirectory>${project.build.directory}/deps</outputDirectory>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
{code}
Gradle test project (run {{gradle dependencyInsight --dependency log4j}} or
{{gradle dependencies --configuration rC}}):
{code:kotlin|title=settings.gradle.kts}
dependencyResolutionManagement {
repositories.mavenCentral()
}
{code}
{code:kotlin|title=build.gradle.kts}
plugins {
`java-library`
}
dependencies {
api(platform("org.apache.tika:tika-bom:2.6.0"))
api("org.apache.tika:tika-core")
implementation("org.apache.logging.log4j:log4j-core:2.18.0")
}
{code}
> Reogranize POMs parent chain to avoid leaking dependency management downstream
> ------------------------------------------------------------------------------
>
> Key: TIKA-3934
> URL: https://issues.apache.org/jira/browse/TIKA-3934
> Project: Tika
> Issue Type: Improvement
> Components: depedency
> Affects Versions: 2.6.0
> Reporter: Konstantin Gribov
> Assignee: Konstantin Gribov
> Priority: Major
> Fix For: 2.6.1, 2.7.0
>
>
> Tika's BOM (Bill of Materials) artifact has {{tika-parent}} as a parent POM
> and thus forces a lot of dependency versions on downstream users.
> For example if one use only PDF module there's no reason to force
> Netty/Jetty/CXF/whatever versions.
> I propose the following:
> * make {{tika}} reactor depend on {{tika-parent}} and all other {{tika-*}}
> modules on the reactor
> * move all our dependency management and build related configuration to the
> reactor ({{tika}} root project)
> I've started these work last week and will publish first PR for review soon.
> Moving parts from {{tika-parent}} to {{tika}} may take some time so little
> steps without build disruption is a must
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
