Can child poms inherit dependency exclusions defined in the parent pom? - maven

I'm not sure if this is support by Maven or not. I appreciate any help I can get.
I have a parent pom that defines a dependency and an exclusion. I can't change the parent pom:
<dependency>
<groupId>foo</groupId>
<artifactId>bar</artifactId>
<version>1.0</version>
<exclusions>
<!-- this exclusion needs to be inherited by all children -->
<exclusion>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-config-server</artifactId>
</exclusion>
</exclusions>
</dependency>
Then in the child pom, I have a need to exclude a different dependency from that same dependency in the parent. Like so
<dependency>
<groupId>foo</groupId>
<artifactId>bar</artifactId>
<version>1.0</version>
<exclusions>
<!-- this exclusion is just for the child -->
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
</exclusion>
</exclusions>
</dependency>
But if I do that, the child will have the slf4j jar excluded (correctly), but it will NOT have the spring-cloud-config-server jar excluded, unless if I restate the parent exclusion in the child declaration of that dependency.
I realize I could just copy it, but that's messy, and I realize that it would be easy to push the child's exclusion up to the parent, but then I'd be forcing that exclusion on all the other children.
What I'd like is for Maven to merge the dependency exclusion information when the same dependency is declared differently in the parent and child.
Is that possible?

In your parent pom:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>foo</groupId>
<artifactId>bar</artifactId>
<version>1.0</version>
<exclusions>
<!-- this exclusion needs to be inherited by all children -->
<exclusion>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-config-server</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</dependencyManagement>
In your child pom:
<dependencies>
<dependency>
<groupId>foo</groupId>
<artifactId>bar</artifactId>
<exclusions>
<!-- this exclusion is just for the child -->
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>

Related

How to lock version Dependency/Plugin with Maven archetype

I'm currently working on how to fix version of dependencies and plugins with maven archetype. Here is how my archetype-resources/pom.xml look like.
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>${spring-version}</version>
The archetype-metadata.xml look like that:
<requiredProperties>
<requiredProperty key="spring-version">
<defaultValue>2.1.5.RELEASE</defaultValue>
</requiredProperty>
</requiredProperties>
Then i added the property to the archetype.properties file
spring-version=2.1.5.RELEASE
When I create an project from this archetype it will correctly show the 2.1.5.RELEASE version.
However this method seems not the best when you have a lot more dependencies or it is not the proper manner on how to lock version?
from https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html
Dependency Management
The dependency management section is a mechanism for centralizing dependency information. When you have a set of projects that inherits a common parent it's possible to put all information about the dependency in the common POM and have simpler references to the artifacts in the child POMs. The mechanism is best illustrated through some examples. Given these two POMs which extend the same parent:
Project A:
<project>
...
<dependencies>
<dependency>
<groupId>group-a</groupId>
<artifactId>artifact-a</artifactId>
<version>1.0</version>
<exclusions>
<exclusion>
<groupId>group-c</groupId>
<artifactId>excluded-artifact</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>group-a</groupId>
<artifactId>artifact-b</artifactId>
<version>1.0</version>
<type>bar</type>
<scope>runtime</scope>
</dependency>
</dependencies>
</project>
Project B:
<project>
...
<dependencies>
<dependency>
<groupId>group-c</groupId>
<artifactId>artifact-b</artifactId>
<version>1.0</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>group-a</groupId>
<artifactId>artifact-b</artifactId>
<version>1.0</version>
<type>bar</type>
<scope>runtime</scope>
</dependency>
</dependencies>
</project>
These two example POMs share a common dependency and each has one non-trivial dependency. This information can be put in the parent POM like this:
<project>
...
<dependencyManagement>
<dependencies>
<dependency>
<groupId>group-a</groupId>
<artifactId>artifact-a</artifactId>
<version>1.0</version>
<exclusions>
<exclusion>
<groupId>group-c</groupId>
<artifactId>excluded-artifact</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>group-c</groupId>
<artifactId>artifact-b</artifactId>
<version>1.0</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>group-a</groupId>
<artifactId>artifact-b</artifactId>
<version>1.0</version>
<type>bar</type>
<scope>runtime</scope>
</dependency>
</dependencies>
</dependencyManagement>
</project>
Then the two child poms become much simpler:
<project>
...
<dependencies>
<dependency>
<groupId>group-a</groupId>
<artifactId>artifact-a</artifactId>
</dependency>
<dependency>
<groupId>group-a</groupId>
<artifactId>artifact-b</artifactId>
<!-- This is not a jar dependency, so we must specify type. -->
<type>bar</type>
</dependency>
</dependencies>
</project>
<project>
...
<dependencies>
<dependency>
<groupId>group-c</groupId>
<artifactId>artifact-b</artifactId>
<!-- This is not a jar dependency, so we must specify type. -->
<type>war</type>
</dependency>
<dependency>
<groupId>group-a</groupId>
<artifactId>artifact-b</artifactId>
<!-- This is not a jar dependency, so we must specify type. -->
<type>bar</type>
</dependency>
</dependencies>
</project>
you can do this also for plugins with
What is pluginManagement in Maven's pom.xml?

Why isn't maven including a needed transitive dependency?

I am converting our Jenkins Freestyle build to Declarative Pipeline mode. I am using the same POM files.
But whenever i run the pipeline build, i see that the desired war is missing a transitive dependency. The Freestyle build includes that missing dependency however.
The Main parent POM includes:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>net.sf.dozer</groupId>
<artifactId>dozer</artifactId>
<version>5.5.1</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</dependencyManagement>
The second parent includes section below, :
<dependencies>
<dependency>
<groupId>net.sf.dozer</groupId>
<artifactId>dozer</artifactId>
</dependency>
</dependencies>
For both build processes, the dozer artifact is contained in the war file. But dozer contains a dependency of its own:
<dependencies>
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.9.1</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
It is this commons-beanutils that I am missing from my final war when i do the Pipeline build. Since I am using the same POM files for both build processes, how can this be possible?
Please help

Exclude maven dependency by adding it as test scope?

I have my own slf4j implementation so I want to remove logback from many dependencies, e.g.
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>...</version>
<exclusions>
<exclusion>
<artifactId>logback-classic</artifactId>
<groupId>ch.qos.logback</groupId>
</exclusion>
</exclusions>
</dependency>
...
But I find a quick way by adding it as test scope:
<dependency>
<artifactId>logback-classic</artifactId>
<groupId>ch.qos.logback</groupId>
<version>...</version>
<scope>test</scope>
</dependency>
Is this a good practice in maven?
I can see how test scope does the trick, but I would personally oppose from such hacks. If your team loose discipline and start incorporating hacks into your application just to save few lines of code, your application will be unmaintainable pretty soon.
You also shouldn't specify versions of spring managed dependencies. You should just define Spring boot version in parent section of your pom. You can find matrix of spring managed dependencies in spring-boot-dependencies file.
I would suggest excluding spring-boot-starter-logging instead of logback directly. So if you are using log4j2 (hopefully you are not planning to use log4j anymore), just do this:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.3.6.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>

The exclusion tag can't solve the duplicated dependency version

Here is my problem, I have a parent pom.xml which defines the:
--------parent pom.xml-----------------
<dependencyManagement>
<dependency>
<groupId>org.robolectric</groupId>
<artifactId>robolectric</artifactId>
<version>2.3</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-artifact</artifactId>
<version>3.0.3</version>
</dependency>
</dependencyManagement>
Inside this roboletric pom.xml we have:
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-ant-tasks</artifactId>
<version>2.1.3</version>
</dependency>
Inside the maven-ant-tasks pom.xml, it has:
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-artifact</artifactId>
<version>2.2.1</version>
</dependency>
So whenever I am calling the API which only exists in the maven-artifact 3.0.3 in the roboletric test case, it will throw nosuchmethod exception.
So I have tried:
1. <dependency>
<groupId>org.robolectric</groupId>
<artifactId>robolectric</artifactId>
<version>2.3</version>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.apache.maven</groupId>
<artifactId>maven-artifact</artifactId>
</exclusion>
</exclusions>
</dependency>
I also tried moving:
org.apache.maven
maven-artifact
3.0.3
to the child pom under the <dependencyManagement> which I think it should override the parent but actually it didn't.
I think this kind of problem should be very common but I just can't figure it out, any suggestions?
You should define dependency management in your parent POM to nail down the version of maven-artifact in all (transitive) dependencies:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-artifact</artifactId>
<version>3.0.3</version>
</dependency>
</dependencies>
</dependencyManagement>

Resolve maven transitive dependency conflict

My project depends on a thirdparty library, the dependency is defined in my POM like this:
<dependency>
<groupId>thirdparty</groupId>
<artifactId>main</artifactId>
<version>1.0.0-SNAPSHOT</version>
</dependency>
This thirdparty main library in turn depends on other two libraries, here's a part of dependency management defined in its pom:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>thirdparty</groupId>
<artifactId>x</artifactId>
<version>1.0.0</version>
</dependency>
<dependency>
<groupId>thirdparty</groupId>
<artifactId>y</artifactId>
<version>1.0.0</version>
</dependency>
...
Now the thirdparty x library has a dependency on y defined in its pom like this:
<dependency>
<groupId>thirdparty</groupId>
<artifactId>y</artifactId>
<version>1.0.0-SNAPSHOT</version>
</dependency>
Note the snapshot version! This looks like a problem in thirdparty poms, but I have no control over it.
The interesting thing though is that if you try to maven build the main thirdparty project it uses (resolves and installs to local repo) the correct thirdparty:y:1.0.0 version of artifact. But when I'm building my original project it tries to resolve the snapshot version of thirdparty:y.
My questions are:
Why does this happen? I was sure that maven should choose the artifact version that is found closest to the project root, which would be 1.0.0 in my case.
Is there any way to fix this problem without adding explicit dependencies to thirdparty:y:1.0.0 to my project's pom?
First of all make sure you realy need the snapshot version. There should normaly be a released version (without -SNAPSHOT).
if you do need it, this should do the trick:
<properties>
<dependeny.main.version>1.0.0-SNAPSHOT</dependeny.main.version>
<dependeny.x.version>1.0.0</dependeny.x.version>
<dependeny.y.version>1.0.0</dependeny.y.version>
<properties>
<dependencies>
...
<dependency>
<groupId>thirdparty</groupId>
<artifactId>main</artifactId>
</dependency>
<dependency>
<groupId>thirdparty</groupId>
<artifactId>x</artifactId>
</dependency>
<dependency>
<groupId>thirdparty</groupId>
<artifactId>y</artifactId>
</dependency>
...
</dependencies>
<dependencyManagement>
<dependencies>
...
<dependency>
<groupId>thirdparty</groupId>
<artifactId>main</artifactId>
<version>${dependeny.main.version}</version>
<exclusions>
<exclusion>
<groupId>thirdparty</groupId>
<artifactId>x</artifactId>
</exclusion>
<exclusion>
<groupId>thirdparty</groupId>
<artifactId>y</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>thirdparty</groupId>
<artifactId>x</artifactId>
<version>${dependeny.x.version}</version>
<exclusions>
<exclusion>
<groupId>thirdparty</groupId>
<artifactId>y</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>thirdparty</groupId>
<artifactId>y</artifactId>
<version>${dependeny.y.version}</version>
</dependency>
...
</dependencies>
</dependencyManagement>
I hope this helps you out.

Resources