Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
3.3.9, 3.5.0, 3.6.0
-
None
-
None
-
maven-3.3.9 to maven-3.6.0
Description
We face an issue when a same artifact-X is transitively brought by a dependency-1
with provided scope, and another dependency-2 with default (compile) scope.
This artifact-X will be computed as compile scope, while we expect it to be explicitly provided by dependency-1.
For example, dependency-1 pom contains:
<dependencies> <dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-lang3</artifactId> <version>3.7</version> </dependency> <dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-collections4</artifactId> <version>4.1</version> </dependency> </dependencies>
dependency-2 pom contains:
<dependencies> <dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-lang3</artifactId> <version>3.8</version> </dependency> </dependencies>
Assembly project pom contains:
<dependencies> <!-- do not include dependencies already provided by module-1 at runtime --> <dependency> <groupId>com.company</groupId> <artifactId>module-1</artifactId> <version>1.0</version> <scope>provided</scope> </dependency> <!-- get dependencies required by module-2 runtime --> <dependency> <groupId>com.company</groupId> <artifactId>module-2</artifactId> <version>1.0</version> </dependency> </dependencies>
But a mvn dependency:tree on assembly project will output:
[INFO] --- maven-dependency-plugin:3.1.0:tree (show-app-dependencies) @ module-3 --- [INFO] com.company:module-3:pom:1.0 [INFO] +- com.company:module-1:jar:1.0:provided [INFO] | +- org.apache.commons:commons-lang3:jar:3.7:compile [INFO] | \- org.apache.commons:commons-collections4:jar:4.1:provided [INFO] \- com.company:module-2:jar:1.0:compile
And we can see the artifact commons-lang3:jar:3.7 which come from dependency-1 is now at compile scope. Note that we don't use any dependency management here (see simple reproducer project in attachment).
This is confusing, and leads to duplicate libraries in runtime classpath when dependency-1 is effectively provided in classpath of dependency-2 runtime (for example by an application server).
Moreover, based on Maven documentation about dependency mediation/scope, the transitive dependencies that are provided should be always ommited.
Then, how to package ONLY the libraries defined as compile/runtime (and ignore all the provided ones, and their transitives) ??