[
https://issues.apache.org/jira/browse/MNG-8041?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tamas Cservenak updated MNG-8041:
---------------------------------
Description:
This bug affects all released Maven versions.
Reproducer: [https://github.com/cstamas/MNG-8041]
Description of the bug: when a Mojo requires Core to collect/resolve given
ResolutionScope, Maven Core does it wrong. Problem is how
LifecycleDependencyResolver and DefaultProjectDependenciesResolver colaborate
plus, how Resolver works. LDR constructs the Resolver filters properly, then it
calls into DPDR, that performs collection. To achieve that, DPDR *blindly* adds
all the POM dependencies to Collect request (which is graph root). But this is
wrong, as this should happen with considering requested (to be included or to
be excluded) scopes. Next what happens, that when collect request is processed
by Resolver, it will contain nodes from unwanted scopes (as Maven Core blindly
added all of them from POM. Also, if Resolver would be asked to create root, it
would NOT add these in the first place), and due that, conflict resolver may
possibly eliminate other nodes (as POM ones "always wins", are closest to graph
root), and also, even the winners will be eliminate in subsequent step, for
example due scope filtering. This results in incomplete resolution scope.
Consequence: let's consider example where Mojo asks for "runtime" resolution
scope. To serve this, Maven will add ALL dependencies present in POM to collect
request (even those in scopes to be omitted, like "test" scoped ones), and will
perform "collect" with Resolver. When Resolver returns, the graph will contain
nodes (as 1st level, as they are POM direct dependendencies) that MAY be
contained in deeper nodes of non-test scoped ones (the guice+guava example).
Next, "conflict resolution" happens, and naturally all the "test" scoped 1st
level dependencies "win", rendering removal of others. Finally, due "runtime"
requested resolution scope, the "test" scoped dependencies are (rightfully)
filtered out. {*}This obviously leads to incomplete runtime build path{*}.
Or in other words, Maven is wrong here: it adds 1st level dependencies to
CollectRequest that should not be there in the first place (in example above,
the "test" scoped ones), that will cause that Resolver "collect" step build a
graph that has "unwanted" scoped nodes closer to root than actually needed
runtime dependencies (remember: test nodes will be not affected by filter, as
they are already present, added by Maven, and test node children are collected
also as "runtime", just to have "test" scope inherited later in the process,
hence all the children of "test" node will end up in "test" scope, despite
"exclude test" is present!), this will cause that in dependency conflict
resolution step, they will kick out all the rightful runtime dependencies, and
finally, all these winners are removed due scope filter.
Implication of this bug is following important fact: the project "runtime"
resolution scope (as when asked by Mojo) and project "runtime" resolution scope
(as when used as a dependency on some downstream project) {*}were not the
same{*}!
Effects of this bug are explained in "Important Consequences" section of this
page
[https://maven.apache.org/resolver-archives/resolver-2.0.0-alpha-7/common-misconceptions.html#important-consequences]
(that is wrongly written: all that is a consequence of this bug). Also, have
to note, that when this bug get addressed, it will NOT render "workarounds"
broken (ie. introduction of another module just to package "runtime" classpath
using m-assembly-p or alike plugins), just "obsolete", as packaging of runtime
dependencies will become possible in-situ (in the same module of the project).
was:
This bug affects all released Maven versions.
Reproducer: [https://github.com/cstamas/MNG-8041]
Description of the bug: when a Mojo requires Core to collect/resolve given
ResolutionScope, Maven Core does it wrong. Problem is how
LifecycleDependencyResolver and DefaultProjectDependenciesResolver colaborate
plus, how Resolver works. LDR constructs the Resolver filters properly, then it
calls into DPDR, that performs collection. To achieve that, DPDR *blindly* adds
all the POM dependencies to Collect request (which is graph root). But this is
wrong, as this should happen with considering requested (to be included or to
be excluded) scopes. Next what happens, that when collect request is processed
by Resolver, it will contain nodes from unwanted scopes (as Maven Core blindly
added all of them from POM. Also, if Resolver would be asked to create root, it
would NOT add these in the first place), and due that, conflict resolver may
possibly eliminate other nodes (as POM ones "always wins", are closest to graph
root), and also, even the winners will be eliminate in subsequent step, for
example due scope filtering. This results in incomplete resolution scope.
Consequence: let's consider example where Mojo asks for "runtime" resolution
scope. To serve this, Maven will add ALL dependencies present in POM to collect
request (even those in scopes to be omitted, like "test" scoped ones), and will
perform "collect" with Resolver. When Resolver returns, the graph will contain
nodes (as 1st level, as they are POM direct dependendencies) that MAY be
contained in deeper nodes of non-test scoped ones (the guice+guava example).
Next, "conflict resolution" happens, and naturally all the "test" scoped 1st
level dependencies "win", rendering removal of others. Finally, due "runtime"
requested resolution scope, the "test" scoped dependencies are (rightfully)
filtered out. {*}This obviously leads to incomplete runtime build path{*}.
Or in other words, Maven is wrong here: it adds 1st level dependencies to
CollectRequest that should not be there in the first place (in example above,
the "test" scoped ones), that will cause that Resolver "collect" step build a
graph that has "unwanted" scoped nodes closer to root than actually needed
runtime dependencies (remember: test nodes will be not affected by filter, as
they are already present, added by Maven, and test node children are collected
also as "runtime", just to have "test" scope inherited later in the process,
hence all the children of "test" node will end up in "test" scope, despite
"exclude test" is present!), this will cause that in dependency conflict
resolution step, they will kick out all the rightful runtime dependencies, and
finally, all these winners are removed due scope filter.
Implication of this bug is following important fact: the project "runtime"
resolution scope (as when asked by Mojo) and project "runtime" resolution scope
(as when used as a dependency on some downstream project) {*}were not the
same{*}!
> Maven Core bug regarding resolution scopes for Mojos
> ----------------------------------------------------
>
> Key: MNG-8041
> URL: https://issues.apache.org/jira/browse/MNG-8041
> Project: Maven
> Issue Type: Bug
> Components: Artifacts and Repositories
> Reporter: Tamas Cservenak
> Priority: Major
>
> This bug affects all released Maven versions.
> Reproducer: [https://github.com/cstamas/MNG-8041]
> Description of the bug: when a Mojo requires Core to collect/resolve given
> ResolutionScope, Maven Core does it wrong. Problem is how
> LifecycleDependencyResolver and DefaultProjectDependenciesResolver colaborate
> plus, how Resolver works. LDR constructs the Resolver filters properly, then
> it calls into DPDR, that performs collection. To achieve that, DPDR *blindly*
> adds all the POM dependencies to Collect request (which is graph root). But
> this is wrong, as this should happen with considering requested (to be
> included or to be excluded) scopes. Next what happens, that when collect
> request is processed by Resolver, it will contain nodes from unwanted scopes
> (as Maven Core blindly added all of them from POM. Also, if Resolver would be
> asked to create root, it would NOT add these in the first place), and due
> that, conflict resolver may possibly eliminate other nodes (as POM ones
> "always wins", are closest to graph root), and also, even the winners will be
> eliminate in subsequent step, for example due scope filtering. This results
> in incomplete resolution scope.
> Consequence: let's consider example where Mojo asks for "runtime" resolution
> scope. To serve this, Maven will add ALL dependencies present in POM to
> collect request (even those in scopes to be omitted, like "test" scoped
> ones), and will perform "collect" with Resolver. When Resolver returns, the
> graph will contain nodes (as 1st level, as they are POM direct
> dependendencies) that MAY be contained in deeper nodes of non-test scoped
> ones (the guice+guava example). Next, "conflict resolution" happens, and
> naturally all the "test" scoped 1st level dependencies "win", rendering
> removal of others. Finally, due "runtime" requested resolution scope, the
> "test" scoped dependencies are (rightfully) filtered out. {*}This obviously
> leads to incomplete runtime build path{*}.
> Or in other words, Maven is wrong here: it adds 1st level dependencies to
> CollectRequest that should not be there in the first place (in example above,
> the "test" scoped ones), that will cause that Resolver "collect" step build a
> graph that has "unwanted" scoped nodes closer to root than actually needed
> runtime dependencies (remember: test nodes will be not affected by filter, as
> they are already present, added by Maven, and test node children are
> collected also as "runtime", just to have "test" scope inherited later in the
> process, hence all the children of "test" node will end up in "test" scope,
> despite "exclude test" is present!), this will cause that in dependency
> conflict resolution step, they will kick out all the rightful runtime
> dependencies, and finally, all these winners are removed due scope filter.
> Implication of this bug is following important fact: the project "runtime"
> resolution scope (as when asked by Mojo) and project "runtime" resolution
> scope (as when used as a dependency on some downstream project) {*}were not
> the same{*}!
> Effects of this bug are explained in "Important Consequences" section of this
> page
> [https://maven.apache.org/resolver-archives/resolver-2.0.0-alpha-7/common-misconceptions.html#important-consequences]
> (that is wrongly written: all that is a consequence of this bug). Also, have
> to note, that when this bug get addressed, it will NOT render "workarounds"
> broken (ie. introduction of another module just to package "runtime"
> classpath using m-assembly-p or alike plugins), just "obsolete", as packaging
> of runtime dependencies will become possible in-situ (in the same module of
> the project).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
