Menu
This is a dependency tree generated by Maven 2.2.1 with mvn -o dependency:tree -Dverbose -Dincludes=log4j
[INFO] [dependency:tree {execution: default-cli}] [INFO] com.openboxes.renderingservice:common:jar:1.0 [INFO] +- org.springframework:spring:jar:2.0.4:compile [INFO] | \- commons-logging:commons-logging:jar:1.1:compile [INFO] | \- log4j:log4j:jar:1.2.12:compile [INFO] \- it.mycompany.portal:server:jar:1.5-SNAPSHOT:compile [INFO] \- org.slf4j:slf4j-log4j12:jar:1.1.0:compile [INFO] \- (log4j:log4j:jar:1.2.13:compile - omitted for conflict with 1.2.12) As you can see log4j v1.2.12 is preferred over v1.2.13.
I know that "Maven resolves version conflicts with a nearest-wins strategy" (see http://maven.apache.org/plugins/maven-dependency-plugin/examples/resolving-conflicts-using-the-dependency-tree.html) but these two dependencies seem to be at the same distance (two nesting levels, am I wrong?) so I expect that the most recent one is used.
Can someone explain this result?
Yes, log4j is not explicitly declared in this POM (and I think it should be), but I would like to better understand the way Maven works.
Thx
483
Find it using maven infrastructure. Go to https://search.maven.org/ and enter your groupId and artifactId. Or you can go to https://repo1.maven.org/maven2/ and navigate first using plugins groupId, later using artifactId and finally using its version.
Enforcer can help developers solve dependency conflicts in Maven by analyzing all libraries declared in the POM file. The plugin uses a lot of different rules, but we are only interested in one: dependencyConvergence – ensures all dependencies converge to the same version.
Multiple transitive dependencies can be excluded by using the <exclusion> tag for each of the dependency you want to exclude and placing all these exclusion tags inside the <exclusions> tag in pom. xml. You will need to mention the group id and artifact id of the dependency you wish to exclude in the exclusion tag.
I've found the answer by myself at http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html: "if two dependency versions are at the same depth in the dependency tree, until Maven 2.0.8 it was not defined which one would win, but since Maven 2.0.9 it's the order in the declaration that counts: the first declaration wins".
It seems a very questionable strategy to me. :-\
69
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
