Uploaded image for project: 'Maven'
  1. Maven
  2. MNG-2192

Transitive dependency overrides version specified in POM

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 2.0.2, 2.0.3
    • Fix Version/s: None
    • Component/s: Dependencies
    • Labels:
      None

      Description

      I'm seeing this in both 2.0.2 and 2.0.3, but not in 1.0.2. I specify a version for a dependency in the parent pom.xml. As the build goes on, one or more dependencies will be processed in the modules that have earlier versions, and those earlier versions override the version I specified in pom.xml.

      For example:
      <dependency>
      <groupId>commons-collections</groupId>
      <artifactId>commons-collections</artifactId>
      <version> 3.1</version>
      </dependency>

      Then from the log:
      ...
      [DEBUG] struts:struts:jar:1.2.4:compile (selected for compile)
      [DEBUG] oro:oro:jar:2.0.7:compile (selected for compile)
      [DEBUG] commons-logging:commons-logging:jar:1.0.4:compile (selected for compile)
      [DEBUG] commons-fileupload:commons-fileupload:jar:1.0:compile (selected for compile)
      [DEBUG] commons-collections:commons-collections:jar:2.1:compile (selected for compile)
      [DEBUG] commons-beanutils:commons-beanutils:jar: 1.6.1:compile (selected for compile)
      [DEBUG] commons-logging:commons-logging:jar:1.0:compile (removed - nearer found: 1.0.4)
      [DEBUG] commons-collections:commons-collections:jar:2.0:compile (removed - nearer found: 2.1)
      [DEBUG] commons-digester:commons-digester:jar:1.5:compile (selected for compile)
      [DEBUG] commons-beanutils:commons-beanutils:jar:1.6:compile (removed - nearer found: 1.6.1)
      ...

      And what is in the WAR file is:
      [DEBUG] adding entry WEB-INF/lib/commons-collections-2.1.jar
      (verified this from the .war file)

      This is contrary to the documentation on the web site:
      http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html
      Which says:
      Dependency mediation - this determines what version of a dependency will be used when multiple versions of an artifact are encountered. Currently, Maven 2.0 only supports using the "nearest definition" - so you can always guarantee a version by declaring it explicitly in your project's POM.
      I take this to mean that the POM is based on the parent pom.xml in a multiproject build, and the modules should inherit the version setting from the parent. So I haven't tried to specify the version again in a child pom.xml.

      I came across this while converting a project from M1 to M2. The M1 WAR file contains version 3.1, as expected.

      Hope to include a simple pom.xml to demo this later – schedule crunch at the moment precludes doing it now.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                carlos Carlos Sanchez
                Reporter:
                rayward Ray Ward
              • Votes:
                2 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: