Hi David,
When I want to know what's bringing in a dependency I use
https://github.com/ferstl/depgraph-maven-plugin
mvn depgraph:aggregate -DtargetIncludes=:jackson-databind
And it drops a nice diagram in the root build dir.
<plugin>
<groupId>com.github.ferstl</groupId>
<artifactId>depgraph-maven-plugin</artifactId>
<version>4.0.2</version>
<configuration>
<createImage>true</createImage>
<customStyleConfiguration>classpath:depgraph/depgraph.json</customStyleConfiguration>
<dotArguments>-Kfdp -Goverlap=false -Gstart=30
-Gsep=+10,10</dotArguments>
<graphFormat>dot</graphFormat>
<mergeScopes>true</mergeScopes>
<showConflicts>true</showConflicts>
<showDuplicates>false</showDuplicates>
<repeatTransitiveDependenciesInTextGraph>false</repeatTransitiveDependenciesInTextGraph>
<transitiveExcludes>*</transitiveExcludes>
</configuration>
Delany
On Sat, 29 Jul 2023 at 01:29, David Karr <davidmichaelk...@gmail.com> wrote:
> In general, I know how to override transient artifact versions. You add an
> "exclusion" for the artifact on the dependency that is including that
> dependency, and then you manually add that dependency in the same pom where
> you added the exclusion. In my case, the version I want is defined in a
> bom in our parent pom, so I don't have to specify the version in that
> dependency.
>
> This works fine, if I do this exclusion and inclusion in the overall "child
> pom".
>
> However, I maintain the parent pom and platform, and there will be dozens
> of "child poms" that will need to do this. I would much rather do this
> "fixup" in the poms for the libraries in our platform. Those poms specify
> the dependencies whose versions I need to control.
>
> I've been struggling with trying to do this, along with trying to
> understand the output of "mvn dependency:tree" and the apparently
> functionally similar output in the "Dependency Hierarchy" view in Eclipse
> using the m2e plugin. Although I can loosely see the hierarchical output
> from these, I find determining the actual details of where dependencies are
> coming from is very mystifying.
>
> To get down to actual details, my problem is that I'm ending up with
> different versions of "jackson-core" and "jackson-databind". I need to
> ensure that I have the same versions of both. I am getting v2.14.1 of
> jackson-databind and v2.13.5 of jackson-core. We are specifying v2.13.5 in
> our parent pom, but somehow something in the tree is giving us v2.14.1 of
> jackson-databind.
>
> I'm going to include here a small excerpt of the "dependency:tree" output
> for our child pom:
>
> com.att.idp:RiskAssessmentMS:jar:2.8.0
> +- com.att.idp:idp-seed-sdk-core:jar:2.8.0:compile
> +- org.jasypt:jasypt:jar:1.9.3:compile
> +- com.io7m.xom:xom:jar:1.2.10:compile
> +- com.att.idp:idp-health:jar:2.8.0:compile
> | +- org.springframework.boot:spring-boot-actuator:jar:2.7.5:compile
> | +- com.att.idp:idp-logging-core:jar:2.8.0:compile (version selected from
> constraint [2.8.0,2.8.100))
> | | \- ch.qos.logback:logback-core:jar:1.2.9:compile
> | +- redis.clients:jedis:jar:3.8.0:compile
> | | \- org.apache.commons:commons-pool2:jar:2.11.1:compile
> | +- com.github.fppt:jedis-mock:jar:0.1.23:compile
> | | \- com.google.auto.value:auto-value-annotations:jar:1.6.2:compile
> | \- com.att.idp.voltage:vibesimplejava:jar:6.21.0.0:compile
> +- com.fasterxml.jackson.core:jackson-core:jar:2.13.4:compile
> +- com.fasterxml.jackson.core:jackson-databind:jar:2.14.1:compile
>
> The "idp-health" library is one of our wrapper libraries. That specifies
> dependencies that pull in jackson-databind, and in those dependencies I
> have excluded jackson-databind and included a specific dependency for
> jackson-databind. As the bom imported from the parent pom specifies v2.13.5
> for that, I would expect I would get jackson-databind v2.13.5, but I'm
> still getting v2.14.1.
>
> I'm very confused.
>
> I think I remember seeing discussions in the dev list about improving the
> output of dependency:tree to be clearer, I don't know if there's been any
> progress on that.
>
