[ https://issues.apache.org/jira/browse/MNG-5708?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17088455#comment-17088455 ]
Maarten Mulders edited comment on MNG-5708 at 4/21/20, 9:05 AM: ---------------------------------------------------------------- I've tried this with Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f). I needed to do things a little different than described in the bug (e.g., edit proj2/*module1*/pom.xml and run {{mvn verify}} on proj3), but that latter command shows: {code:java} [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ proj3 --- [INFO] group:proj3:jar:1-SNAPSHOT [INFO] \- group:module1:jar:1-SNAPSHOT:compile [INFO] +- group:proj1:jar:1-SNAPSHOT:compile [INFO] | \- log4j:log4j:jar:1.2.7:compile [INFO] \- org.slf4j:log4j-over-slf4j:jar:1.7.7:compile [INFO] \- org.slf4j:slf4j-api:jar:1.7.7:compile {code} Log4J is still being included through {{group:proj1}}. was (Author: mthmulders): I've tried this with Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f). I needed to do things a little different than described in the bug (e.g., edit proj2/module*1*/pom.xml and run {{mvn verify}} on proj3), but that latter command shows: {code:java} [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ proj3 --- [INFO] group:proj3:jar:1-SNAPSHOT [INFO] \- group:module1:jar:1-SNAPSHOT:compile [INFO] +- group:proj1:jar:1-SNAPSHOT:compile [INFO] | \- log4j:log4j:jar:1.2.7:compile [INFO] \- org.slf4j:log4j-over-slf4j:jar:1.7.7:compile [INFO] \- org.slf4j:slf4j-api:jar:1.7.7:compile {code} Log4J is still being included through {{group:proj1}}. > Maven dependency resolution inconsistent with multiple excludes > --------------------------------------------------------------- > > Key: MNG-5708 > URL: https://issues.apache.org/jira/browse/MNG-5708 > Project: Maven > Issue Type: Bug > Components: Dependencies > Affects Versions: 3.2.3 > Environment: Apache Maven 3.2.3 > (33f8c3e1027c3ddde99d3cdebad2656a31e8fdf4; 2014-08-11T13:58:10-07:00) > Maven home: /home/henning/.apache-maven > Java version: 1.7.0_67, vendor: Oracle Corporation > Java home: /usr/lib/jvm/java-1.7.0-sun-1.7.0.67/jre > Default locale: en_US, platform encoding: UTF-8 > OS name: "linux", version: "3.16.6-200.fc20.x86_64", arch: "amd64", family: > "unix" > Reporter: Henning Schmiedehausen > Priority: Major > Fix For: needing-scrub-3.4.0-fallout > > Attachments: dependency-bug-2.tar.gz, dependency-bug-3.tar.gz, > dependency-bug.tar.gz > > > This is how to reproduce the problem: > download and unpack the attached tarball. It contains three projects: > proj1 depends on log4j and commons-lang3 > proj2 is a multi module project which uses proj1. But it uses slf4j, so for > proj1 it has an exclusion in the dependency management section which excludes > log4j > module1 depends on proj1 and log4j-over-slf4j > module2 depends on proj1 > proj3 is a project that depends on module1. > enter each project one-by-one and do "mvn clean install". This works fine. So > dependency exclusion etc. works. > Now, remove the comments from the exclude block in proj2/module2/pom.xml > run "mvn clean install" in proj2. Everything still builds fine in proj2. > Same goes for "mvn clean install -pl :module2" (only build module2) and "mvn > clean install -rf :module2" (resume from module2) > now go to proj3. The build fails because there are duplicates on the > classpath. Looking at the dependency tree: > [INFO] group:proj3:jar:1-SNAPSHOT > [INFO] \- group:module1:jar:1-SNAPSHOT:compile > [INFO] +- group:proj1:jar:1-SNAPSHOT:compile > [INFO] | \- log4j:log4j:jar:1.2.7:compile > [INFO] \- org.slf4j:log4j-over-slf4j:jar:1.7.7:compile > [INFO] \- org.slf4j:slf4j-api:jar:1.7.7:compile > log4j (which was excluded in the dependencyManagement section) has reappeared! > This only happens if there are excludes in the depMgt section of a parent pom > *and* excludes in the dependency itself in a child project *and* the > dependency is referred from outside the multi module project. For an in-tree > project (such as module2), everything is fine. -- This message was sent by Atlassian Jira (v8.3.4#803005)