[jira] [Created] (VFS-860) commons-vfs2-bom breaks dependency management

Sat, 24 May 2025 19:11:05 -0700 

Juan Farré created VFS-860:
------------------------------

             Summary: commons-vfs2-bom breaks dependency management
                 Key: VFS-860
                 URL: https://issues.apache.org/jira/browse/VFS-860
             Project: Commons VFS
          Issue Type: Bug
    Affects Versions: 2.10.0
            Reporter: Juan Farré


*Expected behaviour:*

When you import commons-vfs2-bom, you will import the dependency management for 
commons-vfs2 artifacts and nothing else.

 

*Actual behaviour:*

commons-vfs2-bom has commons-vfs2-project as parent. Therefore, it inherits the 
dependency-management sections of commons-vfs2-project, commons-parent and 
apache POMs, which will also be inadvertently imported together with the BOM 
itself. Moreover, and unless you make sure that commons-vfs2-bom is last in the 
dependency-management section of your resolved POM, these imported dependencies 
may override explicit dependencies that come after them in your 
dependency-management section. Examples of such dependencies are junit, 
mockito, slf4j.....

 

*Suggested solution:*

>From [Introduction to the Dependency Mechanism – 
>Maven|https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Bill_of_Materials_.28BOM.29_POMs]:
> "The root of the project is the BOM POM. (...) The parent subproject has the 
>BOM POM as its parent. It is a normal multiproject pom.".

Following the recommendations, commons-vfs2-bom would have no parent. This is 
the same that other Apache-Commons projects do, such as in commons-numbers-bom, 
commons-rng-bom or commons-statistics-bom. commons-vfs2-parent wouldn't have 
the bom as parent, because it needs to inherit from commons-parent. Instead, 
commons-vfs2-parent could import commons-vfs2-bom into its own 
dependency-management section. Note that commons-vfs2-parent's 
dependency-management section contains the dependency to commons-vfs2-sandbox, 
which isn't included in the bom. You may want to include it in the bom and 
remove it from the parent (or not).

 

*Workaround:*

With Maven 4, it's possible to excluded the undesired managed dependencies from 
the import. The exclusion list has around 342 lines (85 exclusions) or more, 
which is pretty difficult to manage.

Of course, it's always possible just not to use the BOM and directly declare 
each managed dependency.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to