Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Incomplete
-
3.0.5, 3.2.1
-
None
Description
I have a project A with the following dependency:
<dependency>
<groupId>dom4j</groupId>
<artifactId>dom4j</artifactId>
<version>1.6.1</version>
</dependency>
dom4j has a compile dependency xml-api.
In the project B, I use project A as a provided dependency. And it has another dependency:
<!-- dom4j is a dependency of poi-ooxml -->
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi-ooxml</artifactId>
<version>3.9</version>
<exclusions>
<exclusion>
<groupId>xml-apis</groupId>
<artifactId>xml-apis</artifactId>
</exclusion>
</exclusions>
</dependency>
So, what happens is maven 3.2.1 adds xml-api as a compile dependency regardless if you exclude it from poi-ooxml.
As far as I understood, maven is getting project A dependencies, and finds a dom4j. It was initially supposed to be provided, but the compile dependency poi-ooxml has dom4j as a transitive compile dependency - so maven correctly updates dom4j scope to compile.
The problem is, because it's adding dom4j to compile scope, it decides to upgrade xml-api to a compile dependency, even if we excluded it in the first place.
The obvious workaround is to exclude dom4j from poi-ooxml.
I'm not sure if this is the expected behaviour, or just a corner case. I couldn't find any valid documentation about that case.
This is a possible duplicate of MNG-5404, but it looks slightly different. I wonder if they have the same root cause.
To run the test attached, "mvn package dependency:tree" will do it. dependency:2.8:tree is showing the same resolution tree as maven itself.
Attachments
Attachments
Issue Links
- relates to
-
-
- Open
-