Managed dependencies with :exclusions are not merge into actual project dependencies for lein :deps commands.

[ejschoen]

Describe the bug
Managed dependencies with :exclusions are not correctly processed for lein deps :tree.

To Reproduce

1. Create a project file like this:

(defproject foo "0.1.0-SNAPSHOT"
  :managed-dependencies [[org.clojure/clojure "1.8.0"]
                         [cc.artifice/clojure-solr "2.1.1" :exclusions [com.github.ben-manes.caffeine/caffeine ]
  :dependencies [[org.clojure/clojure nil]
                 [cc.artifice/clojure-solr nil]])

2. Run lein deps :tree
3. Observe that the clojure-solr dependency is missing from the output.

 [clojure-complete "0.2.5" :exclusions [[org.clojure/clojure]]]
 [nrepl "0.7.0" :exclusions [[org.clojure/clojure]]]
 [org.clojure/clojure "1.8.0"]

4. Drop the :exclusions [com.github...] from the clojure-solr dependency.
5. Run lein deps :tree
6. Observe that the complete dependency tree is displayed.

Actual behavior
Managed dependencies with :exclusions are not merged for lein deps.

Expected behavior
Managed dependencies with :exclusions should be merged for lein deps in the same manner as they are for generating actual dependencies for the runtime classpath (i.e., what one sees in a generated pom.xml from lein pom).

Environment

• Leiningen Version: 2.8.3 or later. (No difference between 2.8.3 and 2.9.4 or 2.9.5-SNAPSHOT)
• Leiningen installation method: manual
• JDK Version: OpenJDK 8
• OS: Debian Stretch

[timclemons]

Can confirm this issue. This also comes into play when lein deps :tree reports confusing dependency overrides that don't actually exist.

For instance, if we have the transitive dependencies:

A -> B -> C_1.0
D -> C_1.1

This should be resolved if we add the following:

:dependencies [[A "0.1.0" :exclusions [B]]
               [D "0.1.1"]]

However, lein deps :tree will still report this as being an override.

[frenchy64]

I had trouble reproducing the OP, so I'll offer another reproduction:

(defproject deps-tree-bug "0.1.0-SNAPSHOT"
  :managed-dependencies [[com.gfredericks/test.chuck "0.2.10"
                          :exclusions [com.andrewmcveigh/cljs-time]]]
  :dependencies [[com.gfredericks/test.chuck]])

~/Projects/deps-tree-bug ❯ lein deps :tree
 [clojure-complete "0.2.5" :exclusions [[org.clojure/clojure]]]
 [nrepl "0.8.3" :exclusions [[org.clojure/clojure]]]
~/Projects/deps-tree-bug ❯

I noticed that by adding a top-level :exclusions entry, the problem seems to resolve:

(defproject deps-tree-bug "0.1.0-SNAPSHOT"
  :exclusions [com.andrewmcveigh/cljs-time]
  :managed-dependencies [[com.gfredericks/test.chuck "0.2.10"
                          :exclusions [com.andrewmcveigh/cljs-time]]]
  :dependencies [[com.gfredericks/test.chuck]])

~/Projects/deps-tree-bug ❯ lein deps :tree
 [clojure-complete "0.2.5" :exclusions [[com.andrewmcveigh/cljs-time] [org.clojure/clojure]]]
 [com.gfredericks/test.chuck "0.2.10" :exclusions [[com.andrewmcveigh/cljs-time]]]
   [clj-time "0.10.0"]
     [joda-time "2.7"]
   [instaparse "1.3.6"]
   [org.clojure/test.check "0.10.0-RC1"]
     [org.clojure/clojure "1.9.0"]
       [org.clojure/core.specs.alpha "0.1.24"]
       [org.clojure/spec.alpha "0.1.143"]
 [nrepl "0.8.3" :exclusions [[com.andrewmcveigh/cljs-time] [org.clojure/clojure]]]
~/Projects/deps-tree-bug ❯

[frenchy64]

This seems to be linked to this call to aether/merge-versions-from-managed-coords.

The result seems to inherit the dep options from :dependencies rather than :managed-dependencies. For example the result of the following code should be [[com.gfredericks/test.chuck "0.2.10" :exclusions [com.andrewmcveigh/cljs-time]]] for the dependency to be resolved correctly, but instead it's:

(cemerick.pomegranate.aether/merge-versions-from-managed-coords
  '([com.gfredericks/test.chuck nil])
  '[[com.gfredericks/test.chuck "0.2.10" :exclusions [com.andrewmcveigh/cljs-time]]])
;=> [[com.gfredericks/test.chuck "0.2.10"]]

This result gets passed as the first argument of cemerick.pomegranate.aether/dependency-hierarchy here and results in the dependency com.gfredericks/test.chuck being completely lost (this is the actual call in the above reproduction):

(cemerick.pomegranate.aether/dependency-hierarchy
  '[[com.gfredericks/test.chuck "0.2.10"] ;; THE BUG: no exclusions!
    [nrepl/nrepl "0.8.3" :exclusions ([org.clojure/clojure])]
    [clojure-complete/clojure-complete "0.2.5" :exclusions ([org.clojure/clojure])]]
  '{[com.gfredericks/test.chuck "0.2.10" :exclusions [[com.andrewmcveigh/cljs-time]]]
    #{[clj-time "0.10.0"] [instaparse "1.3.6"] [org.clojure/test.check "0.10.0-RC1"]},
    [clojure-complete "0.2.5" :exclusions [[org.clojure/clojure]]] nil,
    [clj-time "0.10.0"] #{[joda-time "2.7"]},
    [org.clojure/clojure "1.9.0"] #{[org.clojure/core.specs.alpha "0.1.24"]
                                    [org.clojure/spec.alpha "0.1.143"]},
    [nrepl "0.8.3" :exclusions [[org.clojure/clojure]]] nil,
    [org.clojure/core.specs.alpha "0.1.24"] nil,
    [joda-time "2.7"] nil,
    [instaparse "1.3.6"] nil,
    [org.clojure/test.check "0.10.0-RC1"] #{[org.clojure/clojure "1.9.0"]},
    [org.clojure/spec.alpha "0.1.143"] nil}))
;=> {[clojure-complete "0.2.5" :exclusions [[org.clojure/clojure]]] nil,
;    [nrepl "0.8.3" :exclusions [[org.clojure/clojure]]] nil}

[frenchy64]

Perhaps this is just how pomegranate works. I think this feature request covers what we want to achieve via leiningen: to manage more than just the version in :managed-dependencies.

[technomancy]

I think that's correct; Leiningen doesn't really do anything with managed dependencies other than pass them thru to pomegranate.