Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
3.0.0-M2
-
None
-
None
Description
The documentation for Dependency Convergence describes how to suppress an error reported by the check. This description leads to unreliable project configurations. It may or may not be intentional that the documentation merely states "And this will succeed" without explicitly saying that doing this is good or bad practice.
In the example from the documentation, using an exclusion element works for the very moment, but as soon as the dependency slf4j-jdk14 is no longer needed, the project will break since slf4j-api is still required by slf4j-nop, but not included anymore.
A more reliable and sustainable solution would be to have declarations like the following:
- If one dependency chain ends in org.slf4j:slf4j-api:1.6.1 and another ends in org.slf4j:slf4j-api:1.6.0, use version 1.6.1.
The general pattern is:
- If one dependency chain ends in $coordinate1 and another ends in $coordinate2, use version $version.
Using this pattern instead of globally saying "don't use version 1.6.0" would not break the above scenario where slf4j-jdk14 is no longer needed. Even better, since during dependency resolution this particular conflict does not occur anymore, this rule can be flagged as being no longer necessary.
It should be possible to specify not only the last coordinate of a dependency chain but any elements, as in the following example:
- If one dependency chain ends in org.slf4j:slf4j-jdk14:1.6.1, org.slf4j:slf4j-api:1.6.1 and another ends in org.slf4j:slf4j-nop:1.6.0, org.slf4j:slf4j-api:1.6.0, use version 1.6.1.
As it is now, the dependency convergence test encourages Maven users to specify overly general and therefore wrong exclusion rules. This should be avoided.