Menu
I just experienced a case of two direct dependencies of my maven project having two different versions of a particular transitive dependency.
In my particular case I had direct dependencies on the following:
<dependency>
<groupId>org.jclouds.driver</groupId>
<artifactId>jclouds-sshj</artifactId>
<version>${jclouds.version}</version>
</dependency>
and
<dependency>
<groupId>org.mule.modules</groupId>
<artifactId>mule-module-jersey</artifactId>
<version>${mule.version}</version>
</dependency>
Both of these dependencies had a (deep) transitive dependency on com.sun.jersey:jersey-core, but with different versions for each. Maven didn't fail on this or even warn (or if it did, I never saw it!) that such a thing was happening... and as such I never noticed it until debugging a problem that happened when the version of jersey-core brought in by the jclouds dependency caused some things to break.
Is there a maven plugin or some other tool that exists that will detect this sort of deep transitive dependency overriding and at least warn the user (or fail the maven execution) if it detects such a collision... even if the default maven behavior is to just pick the first version that appears when resolving dependencies?
637
You can click the tabs on the bottom to explore dependencies, then r click on one and say “exclude”.
Maven can automatically bring in these artifacts, also called transitive dependencies. Version collision happens when multiple dependencies link to the same artifact, but use different versions.
Transitive Dependencies. Maven avoids the need to discover and specify the libraries that your own dependencies require by including transitive dependencies automatically. This feature is facilitated by reading the project files of your dependencies from the remote repositories specified.
Use the Dependency Enforcer plugin. It will stop the build when dependencies don't converge properly.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>1.0.1</version>
<executions>
<execution>
<id>enforce</id>
<configuration>
<rules>
<DependencyConvergence />
</rules>
</configuration>
<goals>
<goal>enforce</goal>
</goals>
</execution>
</executions>
</plugin>
@Clement P has provided you with a perfectly good answer. Note however that it might be insufficient for multi-module projects.
The depedndencyconvergence goal of the enforcer plugin knows how to detect transitive dependency collisions, but a collision may hide itself in a different manner.
Suppose you have a multi-module project. Root is A and it has 2 sub modules, B1 and B2.
B1 declares a dependency on artifact a:b:c: 1.1, while B2 declares a dependency on artifact a:b:c: 2.0
In this case, if both modules are built and deployed with their dependencies- you will have a collision, but it is a kind the enforcer plugin does not know how to detect. Since project A doesn't (can't) depend on its sub modules.
In order to overcome this problem in our organization, we used the dependency:list plugin and analyzed its output manually.
Rough description of the process:The output of running this goal is a list of all transitive dependencies of all the projects in the project hierarchy. We than parse the output, sort the dependencies and search only for those artifacts that differ only by version id. This requires some scripting in your CI env but it is the only way for now to get the overall picture.
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
