Uploaded image for project: 'Maven'
  1. Maven
  2. MNG-2192

Transitive dependency overrides version specified in POM

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Cannot Reproduce
    • 2.0.2, 2.0.3
    • None
    • Dependencies
    • None

    Description

      I'm seeing this in both 2.0.2 and 2.0.3, but not in 1.0.2. I specify a version for a dependency in the parent pom.xml. As the build goes on, one or more dependencies will be processed in the modules that have earlier versions, and those earlier versions override the version I specified in pom.xml.

      For example:
      <dependency>
      <groupId>commons-collections</groupId>
      <artifactId>commons-collections</artifactId>
      <version> 3.1</version>
      </dependency>

      Then from the log:
      ...
      [DEBUG] struts:struts:jar:1.2.4:compile (selected for compile)
      [DEBUG] oro:oro:jar:2.0.7:compile (selected for compile)
      [DEBUG] commons-logging:commons-logging:jar:1.0.4:compile (selected for compile)
      [DEBUG] commons-fileupload:commons-fileupload:jar:1.0:compile (selected for compile)
      [DEBUG] commons-collections:commons-collections:jar:2.1:compile (selected for compile)
      [DEBUG] commons-beanutils:commons-beanutils:jar: 1.6.1:compile (selected for compile)
      [DEBUG] commons-logging:commons-logging:jar:1.0:compile (removed - nearer found: 1.0.4)
      [DEBUG] commons-collections:commons-collections:jar:2.0:compile (removed - nearer found: 2.1)
      [DEBUG] commons-digester:commons-digester:jar:1.5:compile (selected for compile)
      [DEBUG] commons-beanutils:commons-beanutils:jar:1.6:compile (removed - nearer found: 1.6.1)
      ...

      And what is in the WAR file is:
      [DEBUG] adding entry WEB-INF/lib/commons-collections-2.1.jar
      (verified this from the .war file)

      This is contrary to the documentation on the web site:
      http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html
      Which says:
      Dependency mediation - this determines what version of a dependency will be used when multiple versions of an artifact are encountered. Currently, Maven 2.0 only supports using the "nearest definition" - so you can always guarantee a version by declaring it explicitly in your project's POM.
      I take this to mean that the POM is based on the parent pom.xml in a multiproject build, and the modules should inherit the version setting from the parent. So I haven't tried to specify the version again in a child pom.xml.

      I came across this while converting a project from M1 to M2. The M1 WAR file contains version 3.1, as expected.

      Hope to include a simple pom.xml to demo this later – schedule crunch at the moment precludes doing it now.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            carlos Carlos Sanchez Gonzalez
            rayward Ray Ward
            Votes:
            2 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment