zentol commented on issue #11626: [FLINK-16961] Bump Netty 4.X to 4.1.44 URL: https://github.com/apache/flink/pull/11626#issuecomment-609865199 > I was wondering whether we shouldn't declare minimum requirements in the parent pom's dependency management section DependencyManagement has subtle flaws that make it undesirable for this case. This will likely also apply to other cases and existing depMgmt entries that we currently have, which we may want to re-evaluate at some point. The core issue is that dependency management entries do not affect the published poms. Let's say you have a module M, depending on A, depending on B 1.0, and M has a depMgmt entry for B setting it to 1.1. While you are working in the module, writing code, running tests, packaging dependencies, B is set to 1.1 as expected. But, in the published pom there is still just the dependency on A. You don't see anything about B, so a user would pull in B 1.0 again DependencyManagement is not transitive, i.e., not visible to downstream modules. See also MNG-5761. This is also why we have so many entries in the root pom; if one module has a depMgmt entry, and another module depends on it, then the second one doesn't see the depMgmt entries of the first one, and has to handle the conflicts locally again. In other words, if you bundle a dependency affected by depMgmt entries then you're good. But if this dependency is exposed to users, then you have achieved no practical benefit. A security scanner running over the project itself will be happy, a scanner running over the published artifacts will complain.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
