Maven dependencyManagement version ignored in transitive dependencies

2018-06-09 23:53:49

Maven is transitively pulling in version 16 of guava, even though I have a <dependencyManagement> section which specifies version 18.

The quick summary:

gwizard-example depends on gwizard-config

gwizard-config has a parent pom, gwizard-parent

gwizard-parent has <dependencyManagement> which specifies version 18 of guava

Thankfully this is an opensource project, so you can see the poms directly: gwizard-parent, gwizard-config, gwizard-example. However, here's the important bit in gwizard-parent :

<properties>
    <guava.version>18.0</guava.version>
</properties>

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>com.google.guava</groupId>
            <artifactId>guava</artifactId>
            <version>${guava.version}</version>
        </dependency>
    </dependencies>
</dependencyManagement>

...and the no-frills dependency declared in gwizard-example:

<properties>
    <gwizard.version>0.5</gwizard.version>
</properties>

<dependencies>
    <dependency>
        <groupId>org.gwizard</groupId>
        <artifactId>gwizard-config</artifactId>
        <version>${gwizard.version}</version>
    </dependency>
</dependencies>

The dependency tree for gwizard-config shows guava 18 correctly:

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ gwizard-config ---
[INFO] org.gwizard:gwizard-config:jar:0.5
[INFO] +- com.google.inject:guice:jar:4.0-beta5:compile
[INFO] |  - com.google.guava:guava:jar:18.0:compile

However, the dependency tree for gwizard-example shows guava 16 (which causes problems):

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ gwizard-example ---
[INFO] org.gwizard:gwizard-example:jar:1.0-SNAPSHOT
[INFO] +- org.gwizard:gwizard-config:jar:0.5:compile
[INFO] |  +- com.google.inject:guice:jar:4.0-beta5:compile
[INFO] |  |  - com.google.guava:guava:jar:16.0.1:compile

This is using Maven v3.2.5. I am baffled. Help?

Possibly related: dependencyManagement in parent ignored

UPDATE : The poms linked on github are changing; adding a dependency to gwizard-services (which directly declares a guava dep) in gwizard-example "fixed" the problem. There's still some sort of bad underlying behavior here.

UPDATE : Created this JIRA issue

There is a simple thing. A dependencyManagement does not declare a dependency which is really used it's only defining versions etc. which can be used.

If you define something like this it will not result in a change.

<properties>
    <guava.version>18.0</guava.version>
</properties>

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>com.google.guava</groupId>
            <artifactId>guava</artifactId>
            <version>${guava.version}</version>
        </dependency>
    </dependencies>
</dependencyManagement>

If you really like to overwrite the version which is used in you tree you need to define a real dependency: So based on the above definition you need to add the following as well:

<dependencies>
    <dependency>
        <groupId>com.google.guava</groupId>
        <artifactId>guava</artifactId>
    </dependency>
</dependencies>

If you have added this please check afterwards via mvn dependency:tree .

Maven doesn't resolve the version transitive dependency issue in this case.

This issue can be used by using maven bom concept.

Check the maven documentation for bom in the below link http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Management

Here is another blog which explains usage of bom's http://howtodoinjava.com/maven/maven-bom-bill-of-materials-dependency/

In your case to solve this issue, you need to add the below dependency in the dependencyManagement section of the project gwizard-example.

     <dependency>
         <groupId>org.gwizard</groupId>
         <artifactId>gwizard-parent</artifactId>
         <version>${gwizard.version}</version>
         <type>pom</type>
         <scope>import</scope>
     </dependency>

链接地址: http://www.djcxy.com/p/29692.html

上一篇: 从伟大的Maven采购依赖版本

下一篇: Maven dependencyManagement版本在传递依赖中被忽略