Something about your specific build is making Maven select 5.18.2 for those modules, as the 5.18.3 broker module does originally depend on the 5.18.3 modules.
Maven will resolve all the [transitive] dependencies of your build, and pick one version for everything used. In that process, something is making it pick 5.18.2 for the other modules. Its likely you either have other dependencies in your build that [transitively] depend on the 5.18.2 client etc, and the resolution is selecting those versions as they are somehow 'closer' (explained somewhat in https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#transitive-dependencies), or else perhaps you have some dependencyManagement in play somehow that is setting it (check any bom/pom imports, or parent poms you are using, if you dont think you are doing it directly...see also https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Management for more detail). You can ensure what is picked using your own dependencyManagement declarations. You can examine what is being picked and why using: "mvn dependency:tree" to see the effective selection path, and "mvn dependency:tree -Dverbose" to see various added details otherwise omitted by default. You can examine the actual effective pom for your build once inheritance etc is considered, and see where each effective line is actually coming from, using "mvn help:effective-pom -Dverbose" On Wed, 22 Nov 2023 at 10:12, PERRIN COMBALUZIER Gaetan <gaetan.perrincombaluz...@ext.biomerieux.com.invalid> wrote: > > Hello Team, > > I'm using ActiveMQ broker on multiple projects, and we just made the update > from 5.18.2 to 5.18.3 to correct CVE-202346604. > > In my maven dependencies, I just declare activemq-broker and let him handle > his dependencies. > > However, he seems to download his ActiveMQ dependencies (activemq-client and > activemq-openwire-legacy) in 5.18.2. > > Is it normal ? Shouldn't it go for 5.18.3 ? > > Obviously, I can work around it by declaring myself which version of each > dependency I want, but I'm surprised maven doesn't take care of it by himself. > > Regards, > > GaƩtan Perrin > > > AVIS : Ce courrier et ses pieces jointes sont destines a leur seul > destinataire et peuvent contenir des informations confidentielles appartenant > a bioMerieux. Si vous n'etes pas destinataire, vous etes informe que toute > lecture, divulgation, ou reproduction de ce message et des pieces jointes est > strictement interdite. Si vous avez recu ce message par erreur merci d'en > prevenir l'expediteur et de le detruire, ainsi que ses pieces jointes. > NOTICE: This message and attachments are intended only for the use of their > addressee and may contain confidential information belonging to bioMerieux. > If you are not the intended recipient, you are hereby notified that any > reading, dissemination, distribution, or copying of this message, or any > attachment, is strictly prohibited. If you have received this message in > error, please notify the original sender immediately and delete this message, > along with any attachments.
