gnodet commented on issue #11772: URL: https://github.com/apache/maven/issues/11772#issuecomment-4030430839
Following up on the flattening discussion — after more analysis, here's where I'm landing: ### The managed dep removal question In my previous comment, I suggested fixing #11346 by not removing "unused" managed deps during flattening. But that's not practical: when using BOMs like Spring Boot or Quarkus, flattening without removal would bloat every consumer POM with hundreds of irrelevant managed dep entries. That's why the removal was added in the first place. And non-flattening doesn't really help here either — keeping the `<parent>`/BOM reference avoids the bloat in the POM file, but those hundreds of managed deps are still resolved during dependency resolution. Same cost, different place. ### Rethinking #11346 The #11346 scenario relies on managed deps "leaking through" from a transitive dependency's POM to control versions in the consumer's graph. Specifically: consumer A depends on B:1.0 (no transitive deps), A's parent manages C:1.2 (appears "unused"). Consumer D overrides B to 2.0, which brings in C:1.1 transitively, and expects A's managed C:1.2 to kick in. This is really a **dependency alignment** problem. Relying on implicit managed dep inheritance through the transitive graph is fragile. The right answer is for consumer D to handle alignment explicitly — via `<scope>import</scope>` BOMs, enforced platforms (Quarkus/Spring Boot style), or a future Maven alignment mechanism. If we treat #11346 as "not a bug, just an unsupported use case", then: - Removing unused managed deps during flattening is fine (keeps POMs lean) - Flattening remains a good default ### So do we still need dual consumer POMs? This brings us back to the core question: **is there a strong reason to support non-flattened consumer POMs at all?** If flattening + removal is the right default, then dual consumer POMs are only needed when someone explicitly opts out of flattening. The question is whether that opt-out path needs to exist, and if so, whether it justifies the complexity of dual consumer POMs + classifier-based parent resolution. Thoughts? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
