[
https://issues.apache.org/jira/browse/MENFORCER-316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16609381#comment-16609381
]
Chris Povirk commented on MENFORCER-316:
----------------------------------------
One half-workaround is to run `requireUpperBoundsDeps` not on the project
itself but on a dummy project that depends on the real project but is otherwise
empty. That way, the real project's `dependencyManagement` section is largely
ignored. But note that ignoring `dependencyManagement` could be either a bonus
or a problem: If what you really want to check is what dependencies your
project will have _when it's used by another project_, then it's a bonus, since
that's exactly what you'll be checking. (And such a dummy project is a good
idea for such shared libraries, independent of this bug.) But if your project
is a leaf node (or at least it's used only from projects that use the same
`dependencyManagement` section), then it's a bad thing, since you're ignoring
`dependencyManagement` that ought to have an effect.
> requireUpperBoundDeps sometimes still ineffective when dependencyManagement
> is used
> -----------------------------------------------------------------------------------
>
> Key: MENFORCER-316
> URL: https://issues.apache.org/jira/browse/MENFORCER-316
> Project: Maven Enforcer Plugin
> Issue Type: Bug
> Affects Versions: 3.0.0-M2
> Reporter: Chris Povirk
> Priority: Major
> Attachments: menforcerbug.tar
>
>
> This sounds similar to
> [MENFORCER-146|https://issues.apache.org/jira/browse/MENFORCER-146], but that
> was fixed long ago.
> Attached is a multi-module project whose:
> * `core` module depends on checker-compat-qual 2.5.3
> * `core` module depends on guava 25.1-android, which
> [depends|https://repo1.maven.org/maven2/com/google/guava/guava/25.1-android/guava-25.1-android.pom]
>
> [on|https://repo1.maven.org/maven2/com/google/guava/guava-parent/25.1-android/guava-parent-25.1-android.pom]
> checker-compat-qual 2.0.0
> * `extension` module depends on the `core` module and checker-compat-qual
> 2.1.0
> That's 3 different versions of checker-compat-qual in the dependency graph of
> `extension`. As expected, `extension` chooses the nearest version, 2.1.0:
> {noformat}
> $ rm -rf ~/.m2/repository/com/google/menforcer/ &&
> /tmp/tmp.Q0KJ1iotaP/apache-maven-3.5.4/bin/mvn clean install
> dependency:build-classpath | perl -ne 'print if /Building extension/ ... 0' |
> grep -o 'checker-compat-qual-[^:]*'
> checker-compat-qual-2.1.0.jar
> {noformat}
> This is not the newest version, though, so I would expect the configured
> `requireUpperBoundDeps` check to fail. Yet it succeeds, unable to detect the
> problem.
> Interestingly, it is able to detect the problem if I remove the
> dependencyManagement section from the parent pom.
> Also interestingly, it is also able to detect the problem if I update the
> guava dependency to version 26.0-android, which [depends
> on|https://repo1.maven.org/maven2/com/google/guava/guava-parent/26.0-android/guava-parent-26.0-android.pom]
> checker-compat-qual 2.5.3.
> So it seems like the enforcer is confused by a combination of (a) a
> dependencyManagement section and (b) a transitive dependency on an even older
> version of the non-upper-bounded library.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
