[jira] [Commented] (MENFORCER-417) requireUpperBoundDeps doesn't work when dependencies are managed

Wed, 22 Jun 2022 05:07:04 -0700 


    [ 
https://issues.apache.org/jira/browse/MENFORCER-417?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557401#comment-17557401
 ] 

James Howe commented on MENFORCER-417:
--------------------------------------

I found the cause, and I think it's not a bug. I hadn't noticed this in the big 
list:

{noformat}
-uk.ac.csrf:data-platform:1.0-SNAPSHOT
  +-org.springframework.boot:spring-boot-starter-data-jpa:2.7.0
    +-org.springframework.boot:spring-boot-starter-jdbc:2.7.0 (managed) <-- 
org.springframework.boot:spring-boot-starter-jdbc:2.7.0
      +-com.zaxxer:HikariCP:4.0.3 (managed) <-- com.zaxxer:HikariCP:4.0.3
        +-org.slf4j:slf4j-api:1.7.36 (managed) <-- 
org.slf4j:slf4j-api:2.0.0-alpha1
{noformat}

So it fails because one dependency wants 2.0.0-alpha1 but management has 
downgraded it to 1.7.36.

> requireUpperBoundDeps doesn't work when dependencies are managed
> ----------------------------------------------------------------
>
>                 Key: MENFORCER-417
>                 URL: https://issues.apache.org/jira/browse/MENFORCER-417
>             Project: Maven Enforcer Plugin
>          Issue Type: Bug
>          Components: Standard Rules
>    Affects Versions: 3.0.0, 3.1.0
>            Reporter: James Howe
>            Priority: Major
>             Fix For: waiting-for-feedback
>
>
> {code:xml}
> <rules>
>   <requireUpperBoundDeps/>
> </rules>{code}
> Example false-positive in a project using spring-boot-dependencies:
> {noformat}
> Failed while enforcing RequireUpperBoundDeps. The error(s) are [
> Require upper bound dependencies error for org.slf4j:slf4j-api:1.7.36 paths 
> to dependency are:
> +-com.example:project:1.0-SNAPSHOT
>   
> +-org.springframework.security.extensions:spring-security-saml2-core:1.0.10.RELEASE
>     +-org.slf4j:slf4j-api:1.7.36 (managed) <-- org.slf4j:slf4j-api:1.7.29
> and
> +-com.example:project:1.0-SNAPSHOT
>   +-com.github.zhanhb:thymeleaf-layout-dialect:3.0.0
>     +-org.slf4j:slf4j-api:1.7.36 (managed) <-- org.slf4j:slf4j-api:1.7.32
> and
> +-com.example:project:1.0-SNAPSHOT
>   +-org.springframework.boot:spring-boot-starter-logging:2.6.7 (managed) <-- 
> org.springframework.boot:spring-boot-starter-logging:2.6.7
>     +-org.slf4j:jul-to-slf4j:1.7.36 (managed) <-- 
> org.slf4j:jul-to-slf4j:1.7.36
>       +-org.slf4j:slf4j-api:1.7.36 (managed) <-- org.slf4j:slf4j-api:1.7.36
> ...
> {noformat}
> No version higher than 1.7.36 is listed anywhere, and at time of writing so 
> such version has even been released (other than 2.0.0-alpha).



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to