Howdy, Problem with BOM imports is that they were never "done done" in Maven 3.x time-frame, and they work the total opposite to everything else in Maven (think dependencies, as Delany says), hence they work in "non Maven way", not intuitive way, and tend to cause (usually bad) surprises. Sadly, they are overused in many projects, especially with recursive-imports happening. Maven 4 just tries to warn you about these, when a dependency is "stepping on toe" of another dependency, but again, as a consumer, you have not much control over it. Personally, I'd avoid using BOMs like these, and I'd preferably generate my own.
In short, BOMs should be * flat (no recursive import) * generated * curated Sadly, with BOM you point at, none of these stands. Maven 4 tries to "fix" things, that's all. Same as with CI Friendly support, this is just yet another "incomplete" implementation. Personally, I'd prevent or better REMOVE recursive import capability (so dep type=pom scope=import would NOT recursively import anything) -- just to force them to be flat for start. BOMs should be curated and generated (and flat). For these cases: * take a peek at BOM generator (used in Maven build as well): https://github.com/maveniverse/bom-builder-maven-plugin * took a stab for a tool I'd use: BOM flatten, try it out!https://github.com/maveniverse/toolbox/pull/180 Regarding flatten-BOM: again, perso I'd NOT use BOM specified by you, but instead I'd deploy "flattened" BOM under my namespace (see gist example) and use that. Given it is generated, you can just generate new for any new version out there, My 5 cents T On Mon, Mar 17, 2025 at 8:43 PM Karl Heinz Marbaise <khmarba...@gmx.de.invalid> wrote: > > Hi to all, > > currently I'm trying to build a simple spring boot application which > uses a BOM for spring-boot-dependencies.. > > <dependency> > <groupId>org.springframework.boot</groupId> > <artifactId>spring-boot-dependencies</artifactId> > <version>3.3.3</version> > <scope>import</scope> > <type>pom</type> > </dependency> > > So based on the releases of JUnit Jupiter, Mockito etc. > I define the BOM's of JUnit Jupiter and Mockito (and others; only > excerpts shown here) before the spring boot dependencies like this, > because I want to use newer versions, than spring-boot-dependencies defines. > > > <dependencyManagement> > <dependencies> > <dependency> > <groupId>org.junit</groupId> > <artifactId>junit-bom</artifactId> > <version>5.12.1</version> > <type>pom</type> > <scope>import</scope> > </dependency> > <dependency> > <groupId>org.mockito</groupId> > <artifactId>mockito-bom</artifactId> > <version>5.16.1</version> > <scope>import</scope> > <type>pom</type> > </dependency> > .. > <dependency> > <groupId>org.springframework.boot</groupId> > <artifactId>spring-boot-dependencies</artifactId> > <version>${spring.boot.version}</version> > <scope>import</scope> > <type>pom</type> > </dependency> > .. > </dependencies> > </dependencyManagement> > > > If I build the project Maven 4.0.0-rc3 I got a bunch of warnings like this: > mvn clean -e > [INFO] Error stacktraces are turned on. > [INFO] > ..... > [INFO] Scanning for projects... > [WARNING] > [WARNING] 26 problems were encountered while building the effective > model for 'com.soebes.spring.example:employee:jar:0.0.1-SNAPSHOT' (use > -e to see details) > [WARNING] Ignored POM import for: > org.assertj:assertj-core:jar:3.25.3@compile as already imported > org.assertj:assertj-core:jar:3.27.3@compile. Add the conflicting managed > dependency directly to the dependencyManagement section of the POM. > [WARNING] Ignored POM import for: > org.assertj:assertj-guava:jar:3.25.3@compile as already imported > org.assertj:assertj-guava:jar:3.27.3@compile. Add the conflicting > managed dependency directly to the dependencyManagement section of the POM. > [WARNING] Ignored POM import for: > org.junit.jupiter:junit-jupiter:jar:5.10.3@compile as already imported > org.junit.jupiter:junit-jupiter:jar:5.12.1@compile. Add the conflicting > managed dependency directly to the dependencyManagement section of the > POM.... > > In Maven 3.9.9 I can build that project without any warning, because the > junit-bom is defined before the spring-boot-dependencies (which has > junit-bom on it's own in an older version), but overwrites the defined > in the spring-boot-dependencies with the newer versions, which is > exactly what I want.. > > Back to Maven 4: > So does that mean I have to add all the deps which are coming from the > junit-bom (also for the deps from assertj-bom, mockito-bom etc.) > manually into my dependencyManagement, as suggested? > > That will wipe away any advantage that using BOMs gives me. > > Is there a better solution which I'm not yet aware of? > > Kind regards > Karl Heinz Marbaise > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
