[jira] [Comment Edited] (MNG-7906) Dependency Management import does not work the "maven way"

Sun, 05 Nov 2023 01:08:04 -0700 


    [ 
https://issues.apache.org/jira/browse/MNG-7906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17782960#comment-17782960
 ] 

Herve Boutemy edited comment on MNG-7906 at 11/5/23 8:07 AM:
-------------------------------------------------------------

I know it's suprising, particularly when we have no way to see the path to an 
imported dependencyManagement (see MPH-183 MNG-7344)

I'm not convinced having the latest import override first imports really makes 
sense: order in dependency declaration matters

but for sure, currently debugging nested dependencyManagement import is hard: I 
saw it on sigstore-maven-plugin 0.4.0 where the import tree is huge


was (Author: hboutemy):
I know it's suprising, particularly when we have no way to see the path to an 
imported dependencyManagement (see MPH-183 MNG-7344)

I'm not convinced having the latest import override first imports really makes 
sense: order in dependency declaration matters

> Dependency Management import does not work the "maven way"
> ----------------------------------------------------------
>
>                 Key: MNG-7906
>                 URL: https://issues.apache.org/jira/browse/MNG-7906
>             Project: Maven
>          Issue Type: Bug
>          Components: Dependencies
>            Reporter: Tamas Cservenak
>            Priority: Blocker
>             Fix For: 4.0.x-candidate
>
>
> This affects all released Maven versions so far.
> Problem reproducer: https://github.com/cstamas/MNG-7852 (repo name is wrong, 
> obviously).
> In short: unlike with dependencies, where you CAN override some "deep 
> transitive" dependency by re-declaring it directly as 1st level dependency in 
> POM, for depMgt import this does not work, actually, it works quite the 
> opposite ("first comes, wins"). Moreover, Maven remains silent about this, as 
> reproducer shows, and all of this goes unnoticed.
> Solution: at least depMgt import should make "the maven way", maybe not by 
> default (to not break existing builds) but configurable. Problem is solved if 
> in reproducer:
> - with fix enabled, junit 5.9.3 is used, AND
> - with fix disabled, Maven yells about ignored depMgt import



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to