[ https://issues.apache.org/jira/browse/MNG-7906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17782960#comment-17782960 ]
Herve Boutemy edited comment on MNG-7906 at 11/5/23 8:07 AM: ------------------------------------------------------------- I know it's suprising, particularly when we have no way to see the path to an imported dependencyManagement (see MPH-183 MNG-7344) I'm not convinced having the latest import override first imports really makes sense: order in dependency declaration matters but for sure, currently debugging nested dependencyManagement import is hard: I saw it on sigstore-maven-plugin 0.4.0 where the import tree is huge was (Author: hboutemy): I know it's suprising, particularly when we have no way to see the path to an imported dependencyManagement (see MPH-183 MNG-7344) I'm not convinced having the latest import override first imports really makes sense: order in dependency declaration matters > Dependency Management import does not work the "maven way" > ---------------------------------------------------------- > > Key: MNG-7906 > URL: https://issues.apache.org/jira/browse/MNG-7906 > Project: Maven > Issue Type: Bug > Components: Dependencies > Reporter: Tamas Cservenak > Priority: Blocker > Fix For: 4.0.x-candidate > > > This affects all released Maven versions so far. > Problem reproducer: https://github.com/cstamas/MNG-7852 (repo name is wrong, > obviously). > In short: unlike with dependencies, where you CAN override some "deep > transitive" dependency by re-declaring it directly as 1st level dependency in > POM, for depMgt import this does not work, actually, it works quite the > opposite ("first comes, wins"). Moreover, Maven remains silent about this, as > reproducer shows, and all of this goes unnoticed. > Solution: at least depMgt import should make "the maven way", maybe not by > default (to not break existing builds) but configurable. Problem is solved if > in reproducer: > - with fix enabled, junit 5.9.3 is used, AND > - with fix disabled, Maven yells about ignored depMgt import -- This message was sent by Atlassian Jira (v8.20.10#820010)