Re: Confused about how to override a transient artifact version
Just as an alternative: there is also since 3.9 the "reverse dep tree": https://github.com/apache/maven/blob/master/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java#L96-L104 Just pass to Maven `-Dmaven.repo.local.recordReverseTree` and Maven will populate the local repository with "back track info". Ideally just use a new empty local repo for this, as that would pull everything and populate it for all pulled artifacts. HTH T On Sat, Jul 29, 2023 at 10:24 AM Delany wrote: > Hi David, > > When I want to know what's bringing in a dependency I use > https://github.com/ferstl/depgraph-maven-plugin > > mvn depgraph:aggregate -DtargetIncludes=:jackson-databind > > And it drops a nice diagram in the root build dir. > > > com.github.ferstl > depgraph-maven-plugin > 4.0.2 > > true > > > classpath:depgraph/depgraph.json > -Kfdp -Goverlap=false -Gstart=30 > -Gsep=+10,10 > dot > true > true > false > > > false > * > > > Delany > > On Sat, 29 Jul 2023 at 01:29, David Karr > wrote: > > > In general, I know how to override transient artifact versions. You add > an > > "exclusion" for the artifact on the dependency that is including that > > dependency, and then you manually add that dependency in the same pom > where > > you added the exclusion. In my case, the version I want is defined in a > > bom in our parent pom, so I don't have to specify the version in that > > dependency. > > > > This works fine, if I do this exclusion and inclusion in the overall > "child > > pom". > > > > However, I maintain the parent pom and platform, and there will be dozens > > of "child poms" that will need to do this. I would much rather do this > > "fixup" in the poms for the libraries in our platform. Those poms > specify > > the dependencies whose versions I need to control. > > > > I've been struggling with trying to do this, along with trying to > > understand the output of "mvn dependency:tree" and the apparently > > functionally similar output in the "Dependency Hierarchy" view in Eclipse > > using the m2e plugin. Although I can loosely see the hierarchical output > > from these, I find determining the actual details of where dependencies > are > > coming from is very mystifying. > > > > To get down to actual details, my problem is that I'm ending up with > > different versions of "jackson-core" and "jackson-databind". I need to > > ensure that I have the same versions of both. I am getting v2.14.1 of > > jackson-databind and v2.13.5 of jackson-core. We are specifying v2.13.5 > in > > our parent pom, but somehow something in the tree is giving us v2.14.1 of > > jackson-databind. > > > > I'm going to include here a small excerpt of the "dependency:tree" output > > for our child pom: > > > > com.att.idp:RiskAssessmentMS:jar:2.8.0 > > +- com.att.idp:idp-seed-sdk-core:jar:2.8.0:compile > > +- org.jasypt:jasypt:jar:1.9.3:compile > > +- com.io7m.xom:xom:jar:1.2.10:compile > > +- com.att.idp:idp-health:jar:2.8.0:compile > > | +- org.springframework.boot:spring-boot-actuator:jar:2.7.5:compile > > | +- com.att.idp:idp-logging-core:jar:2.8.0:compile (version selected > from > > constraint [2.8.0,2.8.100)) > > | | \- ch.qos.logback:logback-core:jar:1.2.9:compile > > | +- redis.clients:jedis:jar:3.8.0:compile > > | | \- org.apache.commons:commons-pool2:jar:2.11.1:compile > > | +- com.github.fppt:jedis-mock:jar:0.1.23:compile > > | | \- com.google.auto.value:auto-value-annotations:jar:1.6.2:compile > > | \- com.att.idp.voltage:vibesimplejava:jar:6.21.0.0:compile > > +- com.fasterxml.jackson.core:jackson-core:jar:2.13.4:compile > > +- com.fasterxml.jackson.core:jackson-databind:jar:2.14.1:compile > > > > The "idp-health" library is one of our wrapper libraries. That specifies > > dependencies that pull in jackson-databind, and in those dependencies I > > have excluded jackson-databind and included a specific dependency for > > jackson-databind. As the bom imported from the parent pom specifies > v2.13.5 > > for that, I would expect I would get jackson-databind v2.13.5, but I'm > > still getting v2.14.1. > > > > I'm very confused. > > > > I think I remember seeing discussions in the dev list about improving the > > output of dependency:tree to be clearer, I don't know if there's been any > > progress on that. > > >
Re: Confused about how to override a transient artifact version
Hi David, On Saturday , 29. July 2023, 01:29:14 CEST David Karr wrote: > In general, I know how to override transient artifact versions. You add an > "exclusion" for the artifact on the dependency that is including that > dependency, and then you manually add that dependency in the same pom where > you added the exclusion. Well, no. You do have to use exclusions only, if group or artifact is different, but not for the version. For all artifacts you want to maintain the version yourself, you add a managementDependencies section to your current POM or even better to a common parent POM where you maintain versions for a couple of (sub-)projects. > In my case, the version I want is defined in a > bom in our parent pom, so I don't have to specify the version in that > dependency. > > This works fine, if I do this exclusion and inclusion in the overall "child > pom". > > However, I maintain the parent pom and platform, and there will be dozens > of "child poms" that will need to do this. I would much rather do this > "fixup" in the poms for the libraries in our platform. Those poms specify > the dependencies whose versions I need to control. This is exactly the right lace for a common dependencyManagement section. > I've been struggling with trying to do this, along with trying to > understand the output of "mvn dependency:tree" and the apparently > functionally similar output in the "Dependency Hierarchy" view in Eclipse > using the m2e plugin. I'd not rely on that, since AFAICS Eclipse (resp. m2e) will do its own thing resolving Maven deps. > Although I can loosely see the hierarchical output > from these, I find determining the actual details of where dependencies are > coming from is very mystifying. > > To get down to actual details, my problem is that I'm ending up with > different versions of "jackson-core" and "jackson-databind". I need to > ensure that I have the same versions of both. I am getting v2.14.1 of > jackson-databind and v2.13.5 of jackson-core. We are specifying v2.13.5 in > our parent pom, but somehow something in the tree is giving us v2.14.1 of > jackson-databind. The only thing that might affect your own definitions in a dependencyManagement section are imports of other POMs (typically called BOMs) in this section, since their dependencies will behave as if they where defined in your dependencyManagement section also. Currently I am not sure if your own definitions take precedence if you define those before or after importing a bom, but that you can easily check with the dependency:tree So simply add the two jackson artifacts with the required version to your own depMgmnt section. [snip] > > I'm very confused. > > I think I remember seeing discussions in the dev list about improving the > output of dependency:tree to be clearer, I don't know if there's been any > progress on that. Regards, Jörg - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Confused about how to override a transient artifact version
Hi David, When I want to know what's bringing in a dependency I use https://github.com/ferstl/depgraph-maven-plugin mvn depgraph:aggregate -DtargetIncludes=:jackson-databind And it drops a nice diagram in the root build dir. com.github.ferstl depgraph-maven-plugin 4.0.2 true classpath:depgraph/depgraph.json -Kfdp -Goverlap=false -Gstart=30 -Gsep=+10,10 dot true true false false * Delany On Sat, 29 Jul 2023 at 01:29, David Karr wrote: > In general, I know how to override transient artifact versions. You add an > "exclusion" for the artifact on the dependency that is including that > dependency, and then you manually add that dependency in the same pom where > you added the exclusion. In my case, the version I want is defined in a > bom in our parent pom, so I don't have to specify the version in that > dependency. > > This works fine, if I do this exclusion and inclusion in the overall "child > pom". > > However, I maintain the parent pom and platform, and there will be dozens > of "child poms" that will need to do this. I would much rather do this > "fixup" in the poms for the libraries in our platform. Those poms specify > the dependencies whose versions I need to control. > > I've been struggling with trying to do this, along with trying to > understand the output of "mvn dependency:tree" and the apparently > functionally similar output in the "Dependency Hierarchy" view in Eclipse > using the m2e plugin. Although I can loosely see the hierarchical output > from these, I find determining the actual details of where dependencies are > coming from is very mystifying. > > To get down to actual details, my problem is that I'm ending up with > different versions of "jackson-core" and "jackson-databind". I need to > ensure that I have the same versions of both. I am getting v2.14.1 of > jackson-databind and v2.13.5 of jackson-core. We are specifying v2.13.5 in > our parent pom, but somehow something in the tree is giving us v2.14.1 of > jackson-databind. > > I'm going to include here a small excerpt of the "dependency:tree" output > for our child pom: > > com.att.idp:RiskAssessmentMS:jar:2.8.0 > +- com.att.idp:idp-seed-sdk-core:jar:2.8.0:compile > +- org.jasypt:jasypt:jar:1.9.3:compile > +- com.io7m.xom:xom:jar:1.2.10:compile > +- com.att.idp:idp-health:jar:2.8.0:compile > | +- org.springframework.boot:spring-boot-actuator:jar:2.7.5:compile > | +- com.att.idp:idp-logging-core:jar:2.8.0:compile (version selected from > constraint [2.8.0,2.8.100)) > | | \- ch.qos.logback:logback-core:jar:1.2.9:compile > | +- redis.clients:jedis:jar:3.8.0:compile > | | \- org.apache.commons:commons-pool2:jar:2.11.1:compile > | +- com.github.fppt:jedis-mock:jar:0.1.23:compile > | | \- com.google.auto.value:auto-value-annotations:jar:1.6.2:compile > | \- com.att.idp.voltage:vibesimplejava:jar:6.21.0.0:compile > +- com.fasterxml.jackson.core:jackson-core:jar:2.13.4:compile > +- com.fasterxml.jackson.core:jackson-databind:jar:2.14.1:compile > > The "idp-health" library is one of our wrapper libraries. That specifies > dependencies that pull in jackson-databind, and in those dependencies I > have excluded jackson-databind and included a specific dependency for > jackson-databind. As the bom imported from the parent pom specifies v2.13.5 > for that, I would expect I would get jackson-databind v2.13.5, but I'm > still getting v2.14.1. > > I'm very confused. > > I think I remember seeing discussions in the dev list about improving the > output of dependency:tree to be clearer, I don't know if there's been any > progress on that. >
Re: Confused about how to override a transient artifact version
David Karr wrote: > I've been struggling with trying to do this, along with trying to > understand the output of "mvn dependency:tree" and the apparently > functionally similar output in the "Dependency Hierarchy" view in Eclipse > using the m2e plugin. Although I can loosely see the hierarchical output > from these, I find determining the actual details of where dependencies are > coming from is very mystifying. I recommend using the effective-pom goal of the maven-help-plugin [0] to get information about the effective POM that Maven ‘sees’, and if you enable verbose output there will be comments telling you where everything came from: mvn help:effective-pom -Dverbose=true I don’t use Eclipse, but in IntelliJ IDEA there are icons in the gutter of the editor that jump to the place where a versionless dependency‘s version is declared, which can be helpful too. I don’t know if there is a similar feature in Eclipse. (The Maven Helper plugin [1] for IntelliJ IDEA is also nice as an interactive and easier to read alternative to dependency:tree, including a filtering option.) Nils. [0] https://maven.apache.org/plugins/maven-help-plugin/effective-pom-mojo.html [1] https://plugins.jetbrains.com/plugin/7179-maven-helper
Re: Confused about how to override a transient artifact version
We actually already use several different BOMs, both internal and external. It didn't occur to me to look for a jackson-bom, and that's a good idea. However, I assumed that would just be a cosmetic change, but on the first try it seemed like that made it work. I need to do some cleanup, but I think this will work. Thanks. On Fri, Jul 28, 2023 at 5:21 PM Nick Stolwijk wrote: > Hi David, > > You could try to add the Jackson BOM in the parent dependencyManagement. > That would override all versions in the (transitive) dependencies of the > child modules. For a nice explanation of BOM files, see Baeldungs blog post > [1]. > > > 4.0.0 > baeldung > Test > 0.0.1-SNAPSHOT > pom > Test > > > > > com.fasterxml.jackson > jackson-bom > 2.13.5 > pom > import > > > > > > > [1] https://www.baeldung.com/spring-maven-bom > Nick Stolwijk > > ~~~ Try to leave this world a little better than you found it and, when > your turn comes to die, you can die happy in feeling that at any rate you > have not wasted your time but have done your best ~~~ > > Lord Baden-Powell > > > On Sat, 29 Jul 2023 at 01:29, David Karr > wrote: > > > In general, I know how to override transient artifact versions. You add > an > > "exclusion" for the artifact on the dependency that is including that > > dependency, and then you manually add that dependency in the same pom > where > > you added the exclusion. In my case, the version I want is defined in a > > bom in our parent pom, so I don't have to specify the version in that > > dependency. > > > > This works fine, if I do this exclusion and inclusion in the overall > "child > > pom". > > > > However, I maintain the parent pom and platform, and there will be dozens > > of "child poms" that will need to do this. I would much rather do this > > "fixup" in the poms for the libraries in our platform. Those poms > specify > > the dependencies whose versions I need to control. > > > > I've been struggling with trying to do this, along with trying to > > understand the output of "mvn dependency:tree" and the apparently > > functionally similar output in the "Dependency Hierarchy" view in Eclipse > > using the m2e plugin. Although I can loosely see the hierarchical output > > from these, I find determining the actual details of where dependencies > are > > coming from is very mystifying. > > > > To get down to actual details, my problem is that I'm ending up with > > different versions of "jackson-core" and "jackson-databind". I need to > > ensure that I have the same versions of both. I am getting v2.14.1 of > > jackson-databind and v2.13.5 of jackson-core. We are specifying v2.13.5 > in > > our parent pom, but somehow something in the tree is giving us v2.14.1 of > > jackson-databind. > > > > I'm going to include here a small excerpt of the "dependency:tree" output > > for our child pom: > > > > com.att.idp:RiskAssessmentMS:jar:2.8.0 > > +- com.att.idp:idp-seed-sdk-core:jar:2.8.0:compile > > +- org.jasypt:jasypt:jar:1.9.3:compile > > +- com.io7m.xom:xom:jar:1.2.10:compile > > +- com.att.idp:idp-health:jar:2.8.0:compile > > | +- org.springframework.boot:spring-boot-actuator:jar:2.7.5:compile > > | +- com.att.idp:idp-logging-core:jar:2.8.0:compile (version selected > from > > constraint [2.8.0,2.8.100)) > > | | \- ch.qos.logback:logback-core:jar:1.2.9:compile > > | +- redis.clients:jedis:jar:3.8.0:compile > > | | \- org.apache.commons:commons-pool2:jar:2.11.1:compile > > | +- com.github.fppt:jedis-mock:jar:0.1.23:compile > > | | \- com.google.auto.value:auto-value-annotations:jar:1.6.2:compile > > | \- com.att.idp.voltage:vibesimplejava:jar:6.21.0.0:compile > > +- com.fasterxml.jackson.core:jackson-core:jar:2.13.4:compile > > +- com.fasterxml.jackson.core:jackson-databind:jar:2.14.1:compile > > > > The "idp-health" library is one of our wrapper libraries. That specifies > > dependencies that pull in jackson-databind, and in those dependencies I > > have excluded jackson-databind and included a specific dependency for > > jackson-databind. As the bom imported from the parent pom specifies > v2.13.5 > > for that, I would expect I would get jackson-databind v2.13.5, but I'm > > still getting v2.14.1. > > > > I'm very confused. > > > > I think I remember seeing discussions in the dev list about improving the > > output of dependency:tree to be clearer, I don't know if there's been any > > progress on that. > > >
Re: Confused about how to override a transient artifact version
Hi David, You could try to add the Jackson BOM in the parent dependencyManagement. That would override all versions in the (transitive) dependencies of the child modules. For a nice explanation of BOM files, see Baeldungs blog post [1]. 4.0.0 baeldung Test 0.0.1-SNAPSHOT pom Test com.fasterxml.jackson jackson-bom 2.13.5 pom import [1] https://www.baeldung.com/spring-maven-bom Nick Stolwijk ~~~ Try to leave this world a little better than you found it and, when your turn comes to die, you can die happy in feeling that at any rate you have not wasted your time but have done your best ~~~ Lord Baden-Powell On Sat, 29 Jul 2023 at 01:29, David Karr wrote: > In general, I know how to override transient artifact versions. You add an > "exclusion" for the artifact on the dependency that is including that > dependency, and then you manually add that dependency in the same pom where > you added the exclusion. In my case, the version I want is defined in a > bom in our parent pom, so I don't have to specify the version in that > dependency. > > This works fine, if I do this exclusion and inclusion in the overall "child > pom". > > However, I maintain the parent pom and platform, and there will be dozens > of "child poms" that will need to do this. I would much rather do this > "fixup" in the poms for the libraries in our platform. Those poms specify > the dependencies whose versions I need to control. > > I've been struggling with trying to do this, along with trying to > understand the output of "mvn dependency:tree" and the apparently > functionally similar output in the "Dependency Hierarchy" view in Eclipse > using the m2e plugin. Although I can loosely see the hierarchical output > from these, I find determining the actual details of where dependencies are > coming from is very mystifying. > > To get down to actual details, my problem is that I'm ending up with > different versions of "jackson-core" and "jackson-databind". I need to > ensure that I have the same versions of both. I am getting v2.14.1 of > jackson-databind and v2.13.5 of jackson-core. We are specifying v2.13.5 in > our parent pom, but somehow something in the tree is giving us v2.14.1 of > jackson-databind. > > I'm going to include here a small excerpt of the "dependency:tree" output > for our child pom: > > com.att.idp:RiskAssessmentMS:jar:2.8.0 > +- com.att.idp:idp-seed-sdk-core:jar:2.8.0:compile > +- org.jasypt:jasypt:jar:1.9.3:compile > +- com.io7m.xom:xom:jar:1.2.10:compile > +- com.att.idp:idp-health:jar:2.8.0:compile > | +- org.springframework.boot:spring-boot-actuator:jar:2.7.5:compile > | +- com.att.idp:idp-logging-core:jar:2.8.0:compile (version selected from > constraint [2.8.0,2.8.100)) > | | \- ch.qos.logback:logback-core:jar:1.2.9:compile > | +- redis.clients:jedis:jar:3.8.0:compile > | | \- org.apache.commons:commons-pool2:jar:2.11.1:compile > | +- com.github.fppt:jedis-mock:jar:0.1.23:compile > | | \- com.google.auto.value:auto-value-annotations:jar:1.6.2:compile > | \- com.att.idp.voltage:vibesimplejava:jar:6.21.0.0:compile > +- com.fasterxml.jackson.core:jackson-core:jar:2.13.4:compile > +- com.fasterxml.jackson.core:jackson-databind:jar:2.14.1:compile > > The "idp-health" library is one of our wrapper libraries. That specifies > dependencies that pull in jackson-databind, and in those dependencies I > have excluded jackson-databind and included a specific dependency for > jackson-databind. As the bom imported from the parent pom specifies v2.13.5 > for that, I would expect I would get jackson-databind v2.13.5, but I'm > still getting v2.14.1. > > I'm very confused. > > I think I remember seeing discussions in the dev list about improving the > output of dependency:tree to be clearer, I don't know if there's been any > progress on that. >
Confused about how to override a transient artifact version
In general, I know how to override transient artifact versions. You add an "exclusion" for the artifact on the dependency that is including that dependency, and then you manually add that dependency in the same pom where you added the exclusion. In my case, the version I want is defined in a bom in our parent pom, so I don't have to specify the version in that dependency. This works fine, if I do this exclusion and inclusion in the overall "child pom". However, I maintain the parent pom and platform, and there will be dozens of "child poms" that will need to do this. I would much rather do this "fixup" in the poms for the libraries in our platform. Those poms specify the dependencies whose versions I need to control. I've been struggling with trying to do this, along with trying to understand the output of "mvn dependency:tree" and the apparently functionally similar output in the "Dependency Hierarchy" view in Eclipse using the m2e plugin. Although I can loosely see the hierarchical output from these, I find determining the actual details of where dependencies are coming from is very mystifying. To get down to actual details, my problem is that I'm ending up with different versions of "jackson-core" and "jackson-databind". I need to ensure that I have the same versions of both. I am getting v2.14.1 of jackson-databind and v2.13.5 of jackson-core. We are specifying v2.13.5 in our parent pom, but somehow something in the tree is giving us v2.14.1 of jackson-databind. I'm going to include here a small excerpt of the "dependency:tree" output for our child pom: com.att.idp:RiskAssessmentMS:jar:2.8.0 +- com.att.idp:idp-seed-sdk-core:jar:2.8.0:compile +- org.jasypt:jasypt:jar:1.9.3:compile +- com.io7m.xom:xom:jar:1.2.10:compile +- com.att.idp:idp-health:jar:2.8.0:compile | +- org.springframework.boot:spring-boot-actuator:jar:2.7.5:compile | +- com.att.idp:idp-logging-core:jar:2.8.0:compile (version selected from constraint [2.8.0,2.8.100)) | | \- ch.qos.logback:logback-core:jar:1.2.9:compile | +- redis.clients:jedis:jar:3.8.0:compile | | \- org.apache.commons:commons-pool2:jar:2.11.1:compile | +- com.github.fppt:jedis-mock:jar:0.1.23:compile | | \- com.google.auto.value:auto-value-annotations:jar:1.6.2:compile | \- com.att.idp.voltage:vibesimplejava:jar:6.21.0.0:compile +- com.fasterxml.jackson.core:jackson-core:jar:2.13.4:compile +- com.fasterxml.jackson.core:jackson-databind:jar:2.14.1:compile The "idp-health" library is one of our wrapper libraries. That specifies dependencies that pull in jackson-databind, and in those dependencies I have excluded jackson-databind and included a specific dependency for jackson-databind. As the bom imported from the parent pom specifies v2.13.5 for that, I would expect I would get jackson-databind v2.13.5, but I'm still getting v2.14.1. I'm very confused. I think I remember seeing discussions in the dev list about improving the output of dependency:tree to be clearer, I don't know if there's been any progress on that.
