[jira] [Closed] (MPIR-430) Dependency Convergence calculation should ignore 'provided' direct and transitive dependencies

Sat, 08 Apr 2023 04:00:08 -0700 


     [ 
https://issues.apache.org/jira/browse/MPIR-430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Elliotte Rusty Harold closed MPIR-430.
--------------------------------------

> Dependency Convergence calculation should ignore 'provided' direct and 
> transitive dependencies
> ----------------------------------------------------------------------------------------------
>
>                 Key: MPIR-430
>                 URL: https://issues.apache.org/jira/browse/MPIR-430
>             Project: Maven Project Info Reports Plugin
>          Issue Type: Bug
>          Components: dependency-convergence
>    Affects Versions: 3.4.2
>            Reporter: Dave Wichers
>            Priority: Minor
>
> If a direct or transitive dependency is 'provided', then excluding it has no 
> affect I believe. As an example, this other Apache project: 
> [https://maven.apache.org/enforcer/enforcer-rules/dependencyConvergence.html] 
> - when it calculates enforcement of dependency convergence, it already 
> ignores 'provided' dependencies.  I have a project I'm supporting called 
> ESAPI, and if you look at its pom here: 
> [https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#L165,] 
> you'll see this pom excludes a dependency for the 'provided' dependency 
> javax.servlet.jsp-api.   The project does this to get 100% convergence for 
> the MPIR convergence report even though 'excluding' this transitive 
> dependency has no actual affect.
> When I drop this exclusion, the 100% convergence requirement enforced by the 
> maven enforcer plugin per: 
> [https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#570] still 
> passes.
> There is also a 'provided' transitive dependency of a real dependency here 
> that we have to exclude: 
> [https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#189] (the 
> xml-api exclusion).
> These two exclusions are really unnecessary.
> Can you enhance the dependency convergence calculations of the MPIR plugin to 
> ignore all direct or transitive 'provided' dependencies to match the behavior 
> of the Maven Enforcer Plugin?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to