[jira] [Commented] (OAK-12093) Improve build by rationalizing dependencies

Wed, 03 Jun 2026 09:40:34 -0700 


    [ 
https://issues.apache.org/jira/browse/OAK-12093?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18085851#comment-18085851
 ] 

Julian Reschke commented on OAK-12093:
--------------------------------------

bq. And BTW, having a clean and controlled dependencyManagment allows avoiding 
pulling transitively duplicates of the same artifact in multiple versions.

No, that's not the case.

The only way to prevent "bad" transitive dependencies to be downloaded (and to 
appear in the dependency tree, which is way more important because of security 
scanners) is to override that transitive dependency specifically for that 
artefact. We do have cases where we are doing this, for instance to prevent 
that a version with CVE appears in our dependencies, or to enforce a newer 
version of the transitive dependency because of a bug or missing feature.

Defining the versions in the parent pom really has zero effect. But maybe I'm 
wrong here, in which case I'd like to see proof.

In any case, I'm not convinced that there's something here that needs to be 
fixed. If we have indeed different versions specified in *our* project for no 
good reason, then, by all means, list them here so we can fix these cases (but 
one-by-one, so we do not do unrelated things at once, see 
<https://jackrabbit.apache.org/oak/docs/participating.html#pull-requests-prs>).



> Improve build by rationalizing dependencies
> -------------------------------------------
>
>                 Key: OAK-12093
>                 URL: https://issues.apache.org/jira/browse/OAK-12093
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>            Reporter: Benjamin Habegger
>            Priority: Major
>
> In the current pom setup some dependencies are being downloaded multiple 
> times:
> Jackson: 2.13.5, 2.17.3
> Zstd: versions 1.5.5-5, 1.5.6-3, 1.5.7-4, 1.5.7-6
> Gson: 2.10.1, 2.11.0, 2.5, 2.9.0, 2.9.1
> Error_prone_annotations: 2.11.0, 2.18.0, 2.26.1, 2.27.0, 2.3.4, 2.41.0
> j2objc-annotations: 1.3, 2.8, 3.0.0
> This increases the volume of downloaded artifacts and thus the build time.
>  
>  
> The goal of this ticket is to rationalize and centralize as much as possible 
> dependencyManagement to avoid these multiple versions



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to