Skip to content

[MNG-8132] Dependency-management "client" exclusions overwrite BOM exclusions #9713

New issue
New issue
Closed
Closed
[MNG-8132] Dependency-management "client" exclusions overwrite BOM exclusions#9713
Assignees
gnodet
Labels
bugSomething isn't workingpriority:majorMajor loss of function
Milestone
4.0.0
@jira-importer

Description

@jira-importer
jira-importer
opened on May 29, 2024

Lenny Primak opened MNG-8132 and commented

Continuation of https://issues.apache.org/jira/browse/MNG-8118

When importing BOM and introducing exclusions, they overwrite exclusions already present in the BOM. They should not

Slack conversation link: https://the-asf.slack.com/archives/C7Q9JB404/p1714938396499939

Regressed by https://issues.apache.org/jira/browse/MNG-5600

Reproducer project: https://github.com/flowlogix/bom-exclusions-mvn4

Offending / reproducing key lines of pom. Shiro BOM excludes non-Jakarta classifier reference to Shrio-core amongst other things:

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.apache.shiro</groupId>
                <artifactId>shiro-bom</artifactId>
                <version>2.0.0</version>
                <type>pom</type>
                <scope>import</scope>
                <exclusions>
<!-- ****           Inserting below exclusion triggers the failure-->
                    <exclusion>
                        <groupId>org.slf4j</groupId>
                        <artifactId>*</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>
        </dependencies>
    </dependencyManagement>

Expected result (maven 3.9.7) only one shiro-core.jar dependency with jakarta classifier is present:

lprimak@Lennys-MacBook-Pro bom-exclusions-mvn4 % mvn -V dependency:tree
Apache Maven 3.9.7 (8b094c9513efc1b9ce2d952b3b9c8eaedaf8cbf0)
Maven home: /Users/lprimak/.sdkman/candidates/maven/3.9.7
Java version: 22.0.1, vendor: Azul Systems, Inc., runtime: /Users/lprimak/.sdkman/candidates/java/22.0.1.fx-zulu/zulu-22.jdk/Contents/Home
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "12.7.5", arch: "x86_64", family: "mac"
[INFO] Scanning for projects...
[INFO] 
[INFO] -----------< com.flowlogix.repdoducers:bom-exclusions-mvn4 >-----------
[INFO] Building bom-exclusions-mvn4 1.x-SNAPSHOT
[INFO]   from pom.xml
[INFO] --------------------------------[ pom ]--------------------------------
[INFO] 
[INFO] --- dependency:3.6.1:tree (default-cli) @ bom-exclusions-mvn4 ---
[INFO] com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:1.x-SNAPSHOT
[INFO] +- org.apache.shiro:shiro-web:jar:jakarta:2.0.0:compile
[INFO] |  \- org.owasp.encoder:encoder:jar:1.2.3:compile
[INFO] \- org.apache.shiro:shiro-core:jar:jakarta:2.0.0:compile
..... cut unnecessary lines
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time1.630 s
[INFO] Finished at: 2024-05-28T22:44:57-04:00
[INFO] -----------------------------------------------------------------------

 

Current result (maven 4.0.0-alpha-3): both shiro-core with and without jakarta classifier exist:

lprimak@Lennys-MacBook-Pro bom-exclusions-mvn4 % mvn -V dependency:tree    
Apache Maven 4.0.0-beta-3 (e92f645c2749eb2a4f5a8843cf01e7441e4b559f)
Maven home: /Users/lprimak/.sdkman/candidates/maven/4.0.0-beta-3
Java version: 22.0.1, vendor: Azul Systems, Inc., runtime: /Users/lprimak/.sdkman/candidates/java/22.0.1.fx-zulu/zulu-22.jdk/Contents/Home
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "12.7.5", arch: "x86_64", family: "mac"
[INFO] Scanning for projects...
[INFO] 
[INFO] ------------------------------------< com.flowlogix.repdoducers:bom-exclusions-mvn4 >------------------------------------
[INFO] Building bom-exclusions-mvn4 1.x-SNAPSHOT
[INFO]   from pom.xml
[INFO] ---------------------------------------------------------[ pom ]---------------------------------------------------------
[INFO] 
[INFO] --- dependency:3.6.1:tree (default-cli) @ bom-exclusions-mvn4 ---
[INFO] com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:1.x-SNAPSHOT
[INFO] +- org.apache.shiro:shiro-web:jar:jakarta:2.0.0:compile
*** below should not exist - non-jakarta classifier 
[INFO] |  +- org.apache.shiro:shiro-core:jar:2.0.0:compile
[INFO] |  \- org.owasp.encoder:encoder:jar:1.2.3:compile
*** below is the correct reference to shiro-core
[INFO] \- org.apache.shiro:shiro-core:jar:jakarta:2.0.0:compile
..... cut unnecessary lines 
[INFO] Copying com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:1.x-SNAPSHOT to project local repository
[INFO] Copying com.flowlogix.repdoducers:bom-exclusions-mvn4:pom:consumer:1.x-SNAPSHOT to project local repository
[INFO] -------------------------------------------------------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] -------------------------------------------------------------------------------------------------------------------------
[INFO] Total time2.589 s
[INFO] Finished at: 2024-05-28T22:49:26-04:00
[INFO] -------------------------------------------------------------------------------------------------------------------------

 

Affects: 4.0.0-alpha-13, 4.0.0-beta-3

Remote Links:

Backported to: 4.0.0-beta-4

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingpriority:majorMajor loss of function

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions