jbang icon indicating copy to clipboard operation
jbang copied to clipboard

Published 20 hours ago verified publisher icon jbangdev

`jbang export mavenrepo` generated pom file includes transient dependencies

Open someth2say opened this issue 3 years ago • 2 comments
trafficstars

Describe the bug A clear and concise description of what the bug is.

The pom file generated by jbang export mavenrepo includes direct and transient dependencies. In maven, dependencies are resolved in inverse order (the last declaration overrides previous ones). If a transient dependency is included after a declared dependency, the transient dependency will override the declared dependency, effectively breaking the dependency tree,

To Reproduce Steps to reproduce the behavior:

  1. Declare a dependency explicitly, p.e. //DEPS com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.13.0
  2. Declare another dependency that transitively depends on a different version of the previous dependency. p.e. //DEPS com.hubspot.jinjava:jinjava:2.6.0, that transitively depends on fasterxml.jackson.dataformat:jackson-dataformat:2.7.9
  3. Generate the pom file with jbang export mavenrepo

Expected behavior The generated effective pom file (or the tree generated by mvn dependency:tree) should include only the declared dependency: com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.13.0. In other words, the transitive dependency fasterxml.jackson.dataformat:jackson-dataformat:2.7.9 should not appear in the generated pom file (or, if it appears, it should be before the declared dependency, so maven version resolution retains the declared dependency).

JBang version 0.83.1

Additional context The same transitive dependencies appear in the .classpath files generated by jbang edit. In this case, the order of dependencies in the .classpath file is the same as the order of declared dependencies in the script. As dependency resolution, in this case, is in order (the first declaration overrides later ones), then the resolution is "correct" (meaning declared dependency is used). .claspath files must include all dependencies, both direct and transitive. I didn´t test, but I suspect this might lead to hairy situations (p.e. when having transitive dependencies before and after a declared dependency).

someth2say avatar Nov 24 '21 09:11 someth2say

@maxandersen won't this be solved by simply only including the dependencies that are explicitly mentioned in all the //DEPS statements? (We could do the resolve solely to check that the dependencies are actually correct, but theoretically we could just copy the //DEPS to the POM, right? Or am I missing something?)

quintesse avatar Dec 14 '21 10:12 quintesse

correct, we should by default just add the explicit dependencies. leaving out implicit dependencies to be resolved by maven.

maxandersen avatar Nov 10 '22 09:11 maxandersen