[
https://issues.apache.org/jira/browse/MENFORCER-316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16607665#comment-16607665
]
Chris Povirk commented on MENFORCER-316:
----------------------------------------
Perhaps the root cause is this, visible through the `extension` section of `mvn
clean install dependency:tree -Dverbose`, is:
{noformat}
[INFO] | \- (org.checkerframework:checker-compat-qual:jar:2.5.3:compile -
version managed from 2.0.0; omitted for conflict with 2.1.0)
{noformat}
If I'm reading right, Maven is saying that `core` depends on 2.0.0. But I don't
see how that could be the case: `core` declares that it depends on 2.5.3 -- and
then it's redundantly set to that in `dependencyManagement`.
Here's the full tree output for `extension`:
{noformat}
[INFO] com.google.menforcer:extension:jar:1.0
[INFO] +- com.google.menforcer:core:jar:1.0:compile
[INFO] | +- com.google.guava:guava:jar:25.1-android:compile
[INFO] | | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] | | +- (org.checkerframework:checker-compat-qual:jar:2.5.3:compile -
version managed from 2.0.0; omitted for duplicate)
[INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.1.3:compile
[INFO] | | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] | | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] | \- (org.checkerframework:checker-compat-qual:jar:2.5.3:compile -
version managed from 2.0.0; omitted for conflict with 2.1.0)
[INFO] \- org.checkerframework:checker-compat-qual:jar:2.1.0:compile
{noformat}
Perhaps Maven is internally confusing the two transitive `checker-compat-qual`
dependencies? If so, this isn't an Enforcer bug so much as a general Maven bug.
> requireUpperBoundDeps sometimes still ineffective when dependencyManagement
> is used
> -----------------------------------------------------------------------------------
>
> Key: MENFORCER-316
> URL: https://issues.apache.org/jira/browse/MENFORCER-316
> Project: Maven Enforcer Plugin
> Issue Type: Bug
> Affects Versions: 3.0.0-M2
> Reporter: Chris Povirk
> Priority: Major
> Attachments: menforcerbug.tar
>
>
> This sounds similar to
> [MENFORCER-146|https://issues.apache.org/jira/browse/MENFORCER-146], but that
> was fixed long ago.
> Attached is a multi-module project whose:
> * `core` module depends on checker-compat-qual 2.5.3
> * `core` module depends on guava 25.1-android, which
> [depends|https://repo1.maven.org/maven2/com/google/guava/guava/25.1-android/guava-25.1-android.pom]
>
> [on|https://repo1.maven.org/maven2/com/google/guava/guava-parent/25.1-android/guava-parent-25.1-android.pom]
> checker-compat-qual 2.0.0
> * `extension` module depends on the `core` module and checker-compat-qual
> 2.1.0
> That's 3 different versions of checker-compat-qual in the dependency graph of
> `extension`. As expected, `extension` chooses the nearest version, 2.1.0:
> {noformat}
> $ rm -rf ~/.m2/repository/com/google/menforcer/ &&
> /tmp/tmp.Q0KJ1iotaP/apache-maven-3.5.4/bin/mvn clean install
> dependency:build-classpath | perl -ne 'print if /Building extension/ ... 0' |
> grep -o 'checker-compat-qual-[^:]*'
> checker-compat-qual-2.1.0.jar
> {noformat}
> This is not the newest version, though, so I would expect the configured
> `requireUpperBoundDeps` check to fail. Yet it succeeds, unable to detect the
> problem.
> Interestingly, it is able to detect the problem if I remove the
> dependencyManagement section from the parent pom.
> Also interestingly, it is also able to detect the problem if I update the
> guava dependency to version 26.0-android, which [depends
> on|https://repo1.maven.org/maven2/com/google/guava/guava-parent/26.0-android/guava-parent-26.0-android.pom]
> checker-compat-qual 2.5.3.
> So it seems like the enforcer is confused by a combination of (a) a
> dependencyManagement section and (b) a transitive dependency on an even older
> version of the non-upper-bounded library.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
