Dependency conflicts on maven - maven

If I have some libs that have others dependencies in different versions like this example: commons-logging-1.0.4.jar (omitted for conflict with 1.1.1) and commons-logging-1.1.1.jar.
What´s the best practice about this, inform the exclusion of this conflict in the related dependency (by tag) or do nothing because the lib was omitted? Is there any problem don´t especify the exclusion of dependencies in the POM ?
Example that explain that how to resolve this in the POM, I´m putting the following instruction to resolve the internal conflicts about version:
<dependency>
<groupId>struts</groupId>
<artifactId>struts</artifactId>
<version>1.2.8</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>

You need to configure a dependencyManagement section in your [parent] POM. This will coerce artifacts coming as transitive dependencies to be of the specified version.

Related

how to use apache-maven-shade plugin to resovle multi dependency conflict

Maven shade plugin is very powerful for resolving dependency conclict, but a situation I have is as follows :
myproject
guava 31
thridparty-dependency-1
guava18
I could relocate the guava 31 dependency and then the conflict will be resolved. And how about following situation :
myproject
thirdparty-1
guava31
thirdparty-2
guava18
thirdparty-3
guava4
Or how about if there are more than two dependencies conflicting as the same dependency but with different versions ?
If I use relocation, then thirdparty-1/guava31 will be relocated but the guava18 and guava4 still conflict.
I'm not sure how to handle this situation.
You need to de-conflict these across the whole project, not just for the shaded uber-jar.
Use Maven <exclusions> in the pom.xml declarationtion to achieve this.
For example:
<dependency>
<groupId>org.neo4j</groupId>
<artifactId>neo4j</artifactId>
<version>${neo4j.version}</version>
<exclusions>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-transport-native-epoll</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-transport-native-epoll</artifactId>
<version>${netty.version}</version>
</dependency>

How to find out if any class from dependency is being used in the maven application?

I have a huge maven application with nearly about 100 maven dependencies in the pom.xml file.
One starter dependency is downloading log4j.jar which is not required at all. So, is there an easy to find in order to make sure no class from a particular jar is being used so that we can exclude it directly from starter dependency as shown below.
<dependency>
<groupId>com.example.group</groupId>
<artifactId>example-artifact</artifactId>
<version>1.11.5</version>
<exclusions>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
</exclusions>
</dependency>
Basically I want to exclude the jar which I am not using at all but simply comes as a transitive dependency.
More specifically, this will show you exactly what you're asking:
https://maven.apache.org/plugins/maven-dependency-plugin/examples/resolving-conflicts-using-the-dependency-tree.html

Maven Class path error multiple SLF4J bindings

I have been getting this error while trying to do a MAVEN INSTALL. I tried exclusions, but not sure the where to include in pom file. Let me how and what exclusion tags should i include in my pom file. I am also attaching my pom file snippet where to include the exclusions`SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in
[jar:file:/C:/Users/147188/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in
[jar:file:/C:/Users/147188/.m2/repository/org/apache/logging/log4j/log4j-slf4j-impl/2.10.0/log4j-slf4j-impl-2.10.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an
explanation. SLF4J: Actual binding is of type
[ch.qos.logback.classic.util.ContextSelectorStaticBinder]
POM file:
<!-- Start of required part to make log4j work -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- End of required part to make log4j work -->
1 Run
mvn dependency:tree
to see which package import org.slf4j
2 keep one, and exclude other
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
</exclusion>
Correct way to exclude default logging, and configure log4j for logging.
Add this dependency in Spring Boot project, if it is not already there
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
Refer Spring Logging - How To.
That message indicates that you are bringing in both logback-classic and log4j-slf4j-impl, which both want to be the logging framework for SLF4J to bind to. If you're not sure which dependency is bringing in which other dependencies, I find it very useful to run "mvn dependency:tree" to see the tree of dependencies being used. That should give you enough information to figure out which logging framework binding you need to exclude.
As the documentation that the warning points to you says,
Embedded components such as libraries or frameworks should not declare a dependency on any SLF4J binding but only depend on slf4j-api. When a library declares a compile-time dependency on a SLF4J binding, it imposes that binding on the end-user, thus negating SLF4J's purpose. When you come across an embedded component declaring a compile-time dependency on any SLF4J binding, please take the time to contact the authors of said component/library and kindly ask them to mend their ways.
You pretty much want to exclude all actual logging frameworks from all dependencies, so that the only logging framework being used is the one you've explicitly added. I even often find it useful to set up some maven-enforcer-plugin bannedDependencies rules to ensure that I don't accidentally bring in another logging framework when updating my dependencies. It can also be helpful to use dependencyManagement sections in your POM to ensure that all your dependencies use the same version of slf4j-api.
I ran into same log4j-slf4j multiple binding issue. There are multiple reasons which caused this issue (Struggled a lot for this issue :) ). Please find below comments.
I was using Spring-Boot version 1.4.7, which internally configured with slf4j-1.7.25 version. Below is the url link, where you can find Spring-Boot version and respective module versions.
https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-dependencies/
It seems when you use "spring-boot-starter" dependency, SB(Spring-Boot) will automatically download all these dependent modules. In my project, i was using slf4j-1.7.21, which created multiple slf4j version issue. In short, SB was not able to identify which slf4j version to use at runtime. So, first I changed my slf4j version to 1.7.25(which is compatible with Spring-Boot version 1.4.7).
Next you need to exclude right module (in my case exclusion of log4j-over-slf4j, logback-classic worked). You need to add below exclusions in all of spring-boot-starter-** module. For Eg : Here I am adding exclusion for spring-boot-starter-data-redis.
Hope this will resolve issue.

Find all dependencies that include a given package

I excluded an artifact because it causes conflicts, namely the jsr311-api given below. Yet when I run the generated jar I'm still getting the java.lang.NoSuchMethodError error. I suspect that another dependency is also including this artifact. How can I find out which one? My dependency list is quite large. Which dependencies include the package javax.ws.rs.core?
<dependency>
<groupId>org.apache.axis2</groupId>
<artifactId>axis2-kernel</artifactId>
<version>1.7.3</version>
<exclusions>
<!-- Causes java.lang.NoSuchMethodError: javax.ws.rs.core.Response$Status$Family.familyOf(I)Ljavax/ws/rs/core/Response$Status$Family; -->
<exclusion>
<artifactId>jsr311-api</artifactId>
<groupId>javax.ws.rs</groupId>
</exclusion>
</exclusions>
</dependency>
Go to
http://search.maven.org/#advancedsearch%7Cgav
and use classname search to find
javax.ws.rs.core.Response
If you use a Nexus 2.x in your company, you can use classname search there as well.
If you want to find out where a given artifact (that you e.g. found by classnmae search) comes from, use dependency:tree in Maven.
In my case the mistake was that I had to manually add the javaee api and I set <scope>provided</scope> which was a mistake, fixing this solved the problem.
<dependency>
<groupId>javax</groupId>
<artifactId>javaee-api</artifactId>
<version>7.0</version>
<scope>provided</scope><!-- remove this -->
</dependency>

Excluding transitive dependency from Maven pom

I have a Maven dependency added where type is test-jar and scope is test. I want to remove a transitive dependency from this (because in the Nexus prod repo this dependency is missing which leads to Jenkins build failure). I have added a exclusion tag but still the dependency is not removed i.e. Jenkins build still fails and complains about this dependency. Any clue why?
<dependency>
<groupId>com.xxx</groupId>
<artifactId>xxx</artifactId>
<type>test-jar</type>
<version>${xxx.version}</version>
<scope>test</scope>
<exclusions>
<exclusion>
<artifactId>jamon</artifactId>
<groupId>com.jamonapi</groupId>
<!-- <scope>compile</scope> -->
</exclusion>
</exclusions>
</dependency>
You can use the following command to find out the transitive dependency details and then you can exclude the dependency:
mvn dependency:tree -Dverbose -Dincludes=<artifact_name>

Resources