I apologize for my unclear description! Allow me to explain my problem
specifically. You are right; it is indeed a confusion.
Firstly, I compiled a project using Maven. This step was completed with the
command mvn clean install. Below is part of the output (I have omitted some
information for brevity).
[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=316672,
ConflictMarker.markTime=152305, ConflictMarker.nodeCount=135,
ConflictIdSorter.graphTime=146303, ConflictIdSorter.topsortTime=42955,
ConflictIdSorter.conflictIdCount=59, ConflictIdSorter.conflictIdCycleCount=0,
ConflictResolver.totalTime=4445286, ConflictResolver.conflictItemCount=131,
DefaultDependencyCollector.collectTime=204337663,
DefaultDependencyCollector.transformTime=5194486}
[DEBUG]
com.akathist.maven.plugins.launch4j:launch4j-maven-plugin:maven-plugin:2.4.2-SNAPSHOT
...
[DEBUG] org.apache.maven:maven-core:jar:3.9.4:provided
...
[DEBUG] org.codehaus.plexus:plexus-interpolation:jar:1.26:provided
[DEBUG]
org.codehaus.plexus:plexus-component-annotations:jar:2.1.0:provided
[DEBUG] org.slf4j:slf4j-api:jar:1.7.36:provided
[DEBUG]
org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.9.0:provided
[DEBUG] org.apache.commons:commons-lang3:jar:3.13.0:compile
[DEBUG] junit:junit:jar:4.13.2:test
...
>From this portion of the information, we can see that the version of the
>dependency package org.apache.commons:commons-lang3 is 3.13.0. However,
>because the compilation output hides duplicate dependency information, I tried
>mvn dependency:tree -Dverbose=true to get more detailed information. Here is
>the output:
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @
launch4j-maven-plugin ---
[INFO]
com.akathist.maven.plugins.launch4j:launch4j-maven-plugin:maven-plugin:2.4.2-SNAPSHOT
...
[INFO] +- org.apache.maven:maven-core:jar:3.9.4:provided
...
[INFO] | +- org.codehaus.plexus:plexus-interpolation:jar:1.26:provided
[INFO] | +- org.codehaus.plexus:plexus-component-annotations:jar:2.1.0:provided
[INFO] | +- (org.apache.commons:commons-lang3:jar:3.12.0:provided - omitted for
duplicate)
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.36:provided
[INFO] +-
org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.9.0:provided
[INFO] +- org.apache.commons:commons-lang3:jar:3.13.0:compile
[INFO] +- junit:junit:jar:4.13.2:test
...
>From this, we can still find the dependency package
>org.apache.commons:commons-lang3 at its original location, and the version
>matches the one mentioned in the compilation output, which is 3.13.0. However,
>within the dependency of org.apache.maven:maven-core, there is another
>occurrence of org.apache.commons:commons-lang3. It's worth noting that this
>dependency package does not have the version 3.13.0.
My confusion is: based on the above situation, has the project actually
introduced the org.apache.commons:commons-lang3 with version 3.12.0 during the
actual compilation process?
I hope this clarifies my confusion.
On 2023/10/31 19:14:08 Greg Chabala wrote:
> On Tue, Oct 31, 2023 at 11:27 AM <ma...@barclays.com.invalid>
> wrote:
>
> > Can't quite make sense of all this; given that you got no replies, maybe
> > no one else understood either.
>
>
> I second this sentiment. All I could tell is it seems like there's some
> confusion about interpreting the dependency:tree output, and perhaps
> confusion on how dependency convergence works, or how a project should
> specify dependency versions.
>
> See
> https://maven.apache.org/enforcer/enforcer-rules/dependencyConvergence.html
> for an overview.
>
