Uploaded image for project: 'Maven'
  1. Maven
  2. MNG-5708

Maven dependency resolution inconsistent with multiple excludes



    • Bug
    • Status: Reopened
    • Major
    • Resolution: Unresolved
    • 3.2.3
    • Dependencies
    • None


      This is how to reproduce the problem:

      download and unpack the attached tarball. It contains three projects:

      proj1 depends on log4j and commons-lang3
      proj2 is a multi module project which uses proj1. But it uses slf4j, so for proj1 it has an exclusion in the dependency management section which excludes log4j
      module1 depends on proj1 and log4j-over-slf4j
      module2 depends on proj1

      proj3 is a project that depends on module1.

      enter each project one-by-one and do "mvn clean install". This works fine. So dependency exclusion etc. works.

      Now, remove the comments from the exclude block in proj2/module2/pom.xml

      run "mvn clean install" in proj2. Everything still builds fine in proj2. Same goes for "mvn clean install -pl :module2" (only build module2) and "mvn clean install -rf :module2" (resume from module2)

      now go to proj3. The build fails because there are duplicates on the classpath. Looking at the dependency tree:

      [INFO] group:proj3:jar:1-SNAPSHOT
      [INFO] - group:module1:jar:1-SNAPSHOT:compile
      [INFO] +- group:proj1:jar:1-SNAPSHOT:compile
      [INFO] | - log4j:log4j:jar:1.2.7:compile
      [INFO] - org.slf4j:log4j-over-slf4j:jar:1.7.7:compile
      [INFO] - org.slf4j:slf4j-api:jar:1.7.7:compile

      log4j (which was excluded in the dependencyManagement section) has reappeared!

      This only happens if there are excludes in the depMgt section of a parent pom and excludes in the dependency itself in a child project and the dependency is referred from outside the multi module project. For an in-tree project (such as module2), everything is fine.


        1. dependency-bug-3.tar.gz
          1 kB
          Henning Schmiedehausen
        2. dependency-bug-2.tar.gz
          1 kB
          Henning Schmiedehausen
        3. dependency-bug.tar.gz
          1 kB
          Henning Schmiedehausen

        Issue Links



              Unassigned Unassigned
              hgschmie Henning Schmiedehausen
              1 Vote for this issue
              7 Start watching this issue