We actually already use several different BOMs, both internal and external. It didn't occur to me to look for a jackson-bom, and that's a good idea. However, I assumed that would just be a cosmetic change, but on the first try it seemed like that made it work. I need to do some cleanup, but I think this will work. Thanks.
On Fri, Jul 28, 2023 at 5:21 PM Nick Stolwijk <nick.stolw...@gmail.com> wrote: > Hi David, > > You could try to add the Jackson BOM in the parent dependencyManagement. > That would override all versions in the (transitive) dependencies of the > child modules. For a nice explanation of BOM files, see Baeldungs blog post > [1]. > > <project ...> > <modelVersion>4.0.0</modelVersion> > <groupId>baeldung</groupId> > <artifactId>Test</artifactId> > <version>0.0.1-SNAPSHOT</version> > <packaging>pom</packaging> > <name>Test</name> > > <dependencyManagement> > <dependencies> > <dependency> > <groupId>com.fasterxml.jackson</groupId> > <artifactId>jackson-bom</artifactId> > <version>2.13.5</version> > <type>pom</type> > <scope>import</scope> > </dependency> > </dependencies> > </dependencyManagement> > </project> > > > [1] https://www.baeldung.com/spring-maven-bom > Nick Stolwijk > > ~~~ Try to leave this world a little better than you found it and, when > your turn comes to die, you can die happy in feeling that at any rate you > have not wasted your time but have done your best ~~~ > > Lord Baden-Powell > > > On Sat, 29 Jul 2023 at 01:29, David Karr <davidmichaelk...@gmail.com> > wrote: > > > In general, I know how to override transient artifact versions. You add > an > > "exclusion" for the artifact on the dependency that is including that > > dependency, and then you manually add that dependency in the same pom > where > > you added the exclusion. In my case, the version I want is defined in a > > bom in our parent pom, so I don't have to specify the version in that > > dependency. > > > > This works fine, if I do this exclusion and inclusion in the overall > "child > > pom". > > > > However, I maintain the parent pom and platform, and there will be dozens > > of "child poms" that will need to do this. I would much rather do this > > "fixup" in the poms for the libraries in our platform. Those poms > specify > > the dependencies whose versions I need to control. > > > > I've been struggling with trying to do this, along with trying to > > understand the output of "mvn dependency:tree" and the apparently > > functionally similar output in the "Dependency Hierarchy" view in Eclipse > > using the m2e plugin. Although I can loosely see the hierarchical output > > from these, I find determining the actual details of where dependencies > are > > coming from is very mystifying. > > > > To get down to actual details, my problem is that I'm ending up with > > different versions of "jackson-core" and "jackson-databind". I need to > > ensure that I have the same versions of both. I am getting v2.14.1 of > > jackson-databind and v2.13.5 of jackson-core. We are specifying v2.13.5 > in > > our parent pom, but somehow something in the tree is giving us v2.14.1 of > > jackson-databind. > > > > I'm going to include here a small excerpt of the "dependency:tree" output > > for our child pom: > > > > com.att.idp:RiskAssessmentMS:jar:2.8.0 > > +- com.att.idp:idp-seed-sdk-core:jar:2.8.0:compile > > +- org.jasypt:jasypt:jar:1.9.3:compile > > +- com.io7m.xom:xom:jar:1.2.10:compile > > +- com.att.idp:idp-health:jar:2.8.0:compile > > | +- org.springframework.boot:spring-boot-actuator:jar:2.7.5:compile > > | +- com.att.idp:idp-logging-core:jar:2.8.0:compile (version selected > from > > constraint [2.8.0,2.8.100)) > > | | \- ch.qos.logback:logback-core:jar:1.2.9:compile > > | +- redis.clients:jedis:jar:3.8.0:compile > > | | \- org.apache.commons:commons-pool2:jar:2.11.1:compile > > | +- com.github.fppt:jedis-mock:jar:0.1.23:compile > > | | \- com.google.auto.value:auto-value-annotations:jar:1.6.2:compile > > | \- com.att.idp.voltage:vibesimplejava:jar:6.21.0.0:compile > > +- com.fasterxml.jackson.core:jackson-core:jar:2.13.4:compile > > +- com.fasterxml.jackson.core:jackson-databind:jar:2.14.1:compile > > > > The "idp-health" library is one of our wrapper libraries. That specifies > > dependencies that pull in jackson-databind, and in those dependencies I > > have excluded jackson-databind and included a specific dependency for > > jackson-databind. As the bom imported from the parent pom specifies > v2.13.5 > > for that, I would expect I would get jackson-databind v2.13.5, but I'm > > still getting v2.14.1. > > > > I'm very confused. > > > > I think I remember seeing discussions in the dev list about improving the > > output of dependency:tree to be clearer, I don't know if there's been any > > progress on that. > > >
