maven is wrongly using the version number I provided, why - maven

I introduced org.elasticsearch:elasticsearch:7.14.0 in pom.xml, but I ended up using the version number 7.12.1 provided in springboot, why?
I need the 7.14.0 version
End-use version
spring-boot-dependencies[pom.xml]
easy-es-parent[pom.xml] |
easy-es-common[pom.xml]
This is my complete pom.xml file
https://gist.github.com/2720851545/b75a50bd0119590f928d1e70a99ea03f

In Maven, any transitive dependency-version might be used, you could try to explicitly state in the POM which version for that given dependency you want to have.
With maven dependency-plugin, it should be transparent which dependency-version will be effective:
mvn dependency:tree

Related

How to read this google components dependencies in this pom?

I am looking at jar hell right now between selenium and a google cloud jar. selenium is a bit out of date but in trying to see the versions in the pom file found here, I see no versions...
https://repo1.maven.org/maven2/com/google/auth/google-auth-library-oauth2-http/0.17.1/
How to tell what the version of guava that it will use is?
I saw something like this but not sure how to run it
mvn -P help:effective-pom -Dverbose
I use gradle so not sure how to point that at the remote artifact. I can use gradle to see what version it's bringing in, but what I don't get is how there is no version in the pom file and where gradle is getting it from. I am praying it's not just bringing in the latest version as that would be really really bad and create an unreproducible build over time where if we tag a version of our release, later when we build, it would bring in the wrong jars and could break. Where is the version coming from for guava there?
thanks,
Dean
The POM defines a parent POM, which is
https://repo1.maven.org/maven2/com/google/auth/google-auth-library-parent/0.17.1/google-auth-library-parent-0.17.1.pom
Here you find the version of guava as a property, which is then used in the <dependencyManagement>.

Check the spring-data-jpa version in spring-boot-starter-data-jpa

As in question the pom.xml from started does not provide the version information
Using dependency tree we can see versions of all dependencies in the maven project.
mvn dependency:tree -Dverbose
Expand the maven dependencies folder in the project explorer of the IDE.
The version number is present at the end of the file name, like
spring-boot-starter-data-jpa-2.5.5.jar
Here 2.5.5 is the version number of the corresponding file.
There are couple of ways you can find the version.
One option is to verify the version downloaded from you IDE or from you .m2 folder
If you want to know where the version is specified you need to travel through the <parent> tag mentioned in the pom.xml. In the case of Spring Boot Data JPA Starter pom.xml the version is specified in spring-boot-build pom.xml within the properties tag. You can check the below link for the pom.xml definition :
spring-boot-build pom.xml

How do I get the maven dependency:tree command to show when I'm using a RELEASE version?

I'm using the maven dependency:tree command to see all my modules and submodules.
We're using a dev=RELEASE version model so that we can see our dependencies fail fast. Then we lock in a version when we go to prod.
Our dependency tree goes about four levels deep of modules.
I want a quick way to identify if anything in my pom dependencies contains a RELEASE version.
I'd like to be able to use the dependency:tree command to do this - but unfortunately it resolves all the RELEASE versions to the last 'dot' version.
Note this is using Maven 2.
My question is: How do I get the maven dependency:tree command to show when I'm using a RELEASE version?
The trick is - as the comments have pointed out - is to upgrade to Maven 3 - and then use the Maven Versions Plugin :
This means you have to set the versions explicitly - but you still get the fail-fast behaviour.
See here for more detail:
https://stackoverflow.com/a/48184999/15441

How does Maven decide what version of a plugin to use, when you don't specify any?

I recognized that Maven not always uses the latest version of a plugin.
For example org.codehaus.mojo:sonar-maven-plugin version 2.7 has beed released on 19th of October but on 23th of October, 2.6 was still used by Maven (mvn sonar:sonar).
I even remember some plugins, where the latest version was several minor releases above the version that Maven decided to use.
Is there any (central) index/list/database where Maven looks up what version to use? If yes, where can it be accessed manually?
I know this is an ancient thread but in the interest of posterity and accuracy: all pom.xmls logically inherit from the super POM. You can always see what your "real" pom.xml looks like by typing:
mvn help:effective-pom
The resulting pom.xml that is printed is a combination of the super POM, your pom.xml, and of course any parent POMs in the mix as well.
The super POM is provided by the org.apache.maven.model.superpom.DefaultSuperPomProvider class (https://github.com/apache/maven/blob/bce33aa2662a51d18cb00347cf2fb174dc195fb1/maven-model-builder/src/main/java/org/apache/maven/model/superpom/DefaultSuperPomProvider.java#L56-L85). The resource it loads is org/apache/maven/model/pom-4.0.0.xml (https://github.com/apache/maven/blob/bce33aa2662a51d18cb00347cf2fb174dc195fb1/maven-model-builder/src/main/resources/org/apache/maven/model/pom-4.0.0.xml#L23-L149).
As far as i know, this link will answer your question.
Automatic Plugin Version Resolution
When a plugin was invoked without an explicit version given in the POM
or on the command line, Maven 2.x used to pick the latest version
available where the latest version could either be a release or a
snapshot. For the sake of stability, Maven 3.x prefers the latest
release version over the latest snapshot version.
Given the threat of non-reproducible builds imposed by automatic
plugin version resolution, this feature is scheduled for removal as
far as plugin declarations in the POM are concerned. Users of Maven
3.x will find it output a warning when missing plugin versions are detected to encourage the addition of plugin versions to the POM or
one of its parent POMs. The Enforcer rule requirePluginVersions can be
used additionally check for missing plugin versions in the POM
For command line execution if a version is not specified Maven looks up the latest version from the GA (group ID/artifact ID) maven-metadata.xml file.
Example: http://repo1.maven.org/maven2/org/apache/maven/plugins/maven-clean-plugin/maven-metadata.xml
If you're encoding command line execution of Maven goals into your builds you should specify a version for these, otherwise your builds may change as new versions of plugins are released.

Maven3 - How do I found dependency resolution? ( mvn depedency:tree does not work for mvn3 )

With maven-3, it uses aether to resolve dependency.
Unfortunately, "mvn dependency:tree" use legacy (maven-2) resolution engine.
How do I find out the true dependency resolution for maven-3. I'm running into an issue where "exec:exec" creates different classpath then "dependency:tree".
In maven 3 - compatibility notes, it says I need to use "-X" and look at the log but there is no pointer what to look for.
Also, "assembly:assembly" brings in different 'jar' than when I print out classpath from "exec:exec".
dependency:tree is the correct way to get the project dependencies. Since version 2.5 of the plugin it now resolves the tree using aether.
exec:exec runs the maven exec plugin. The classpath it generates is based on the plugin dependencies, if specified. It is relevant only for the purpose of the plugin execution and not to be taken in the context of project.
The similar explanation holds good in case of assembly:assembly. The jars that it brings in entirely depends on the plugin and assembly-descriptor configuration.
Since version 2.5 of the Maven Dependency Plugin, dependency:tree works with Maven 3 (see the bug report, and the release notes)

Resources