Maven dependency resolution inconsistent with multiple excludes

This is how to reproduce the problem:

download and unpack the attached tarball. It contains three projects:

proj1 depends on log4j and commons-lang3
proj2 is a multi module project which uses proj1. But it uses slf4j, so for proj1 it has an exclusion in the dependency management section which excludes log4j
module1 depends on proj1 and log4j-over-slf4j
module2 depends on proj1

proj3 is a project that depends on module1.

enter each project one-by-one and do "mvn clean install". This works fine. So dependency exclusion etc. works.

Now, remove the comments from the exclude block in proj2/module2/pom.xml

run "mvn clean install" in proj2. Everything still builds fine in proj2. Same goes for "mvn clean install -pl :module2" (only build module2) and "mvn clean install -rf :module2" (resume from module2)

now go to proj3. The build fails because there are duplicates on the classpath. Looking at the dependency tree:

[INFO] group:proj3:jar:1-SNAPSHOT
[INFO] - group:module1:jar:1-SNAPSHOT:compile
[INFO] +- group:proj1:jar:1-SNAPSHOT:compile
[INFO] | - log4j:log4j:jar:1.2.7:compile
[INFO] - org.slf4j:log4j-over-slf4j:jar:1.7.7:compile
[INFO] - org.slf4j:slf4j-api:jar:1.7.7:compile

log4j (which was excluded in the dependencyManagement section) has reappeared!

This only happens if there are excludes in the depMgt section of a parent pom and excludes in the dependency itself in a child project and the dependency is referred from outside the multi module project. For an in-tree project (such as module2), everything is fine.