Donatien RIVIERE created MNG-6607:
-------------------------------------
Summary: Transitive dependencies brought by provided scope and
compile scope are computed as compile scope
Key: MNG-6607
URL: https://issues.apache.org/jira/browse/MNG-6607
Project: Maven
Issue Type: Bug
Components: Dependencies
Affects Versions: 3.6.0, 3.5.0, 3.3.9
Environment: maven-3.3.9 to maven-3.6.0
Reporter: Donatien RIVIERE
Attachments: test-dependencies-project.zip
We face an issue when a same +artifact-X+ is transitively brought by a
+dependency-1+
with *provided* scope, and another +dependency-2+ with *default (compile)*
scope.
This +artifact-X+ will be computed as *compile* scope, while we expect it to be
explicitly provided by +dependency-1+.
For example, +dependency-1+ pom contains:
{code:xml}
<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.7</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.1</version>
</dependency>
</dependencies>
{code}
+dependency-2+ pom contains:
{code:xml}
<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.8</version>
</dependency>
</dependencies>
{code}
Assembly project pom contains:
{code:xml}
<dependencies>
<!-- do not include dependencies already provided by module-1 at
runtime -->
<dependency>
<groupId>com.company</groupId>
<artifactId>module-1</artifactId>
<version>1.0</version>
<scope>provided</scope>
</dependency>
<!-- get dependencies required by module-2 runtime -->
<dependency>
<groupId>com.company</groupId>
<artifactId>module-2</artifactId>
<version>1.0</version>
</dependency>
</dependencies>
{code}
But a _mvn dependency:tree_ on assembly project will output:
{code}
[INFO] --- maven-dependency-plugin:3.1.0:tree (show-app-dependencies) @
module-3 ---
[INFO] com.company:module-3:pom:1.0
[INFO] +- com.company:module-1:jar:1.0:provided
[INFO] | +- org.apache.commons:commons-lang3:jar:3.7:compile
[INFO] | \- org.apache.commons:commons-collections4:jar:4.1:provided
[INFO] \- com.company:module-2:jar:1.0:compile
{code}
And we can see the artifact `commons-lang3:jar:3.7` which come from
dependency-1 is now at **compile** scope. Note that we don't use any
`<dependencyManagement>` here.
This is very confusing, and leads to duplicate libraries in runtime classpath
when `dependency-1` is effectively provided in classpath of `dependency-2`
runtime (for example by an application server).
Moreover, based on Maven documentation about dependency mediation/scope, the
transitive dependencies that are provided should be always **ommited**.
http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope
Then, how to package ONLY the libraries defined as compile/runtime (and ignore
all the provided ones, and their transitives) ??
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
