Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't specify scope in dependencyManagement of BOM #3373

Merged
merged 2 commits into from
Jul 18, 2020
Merged

Don't specify scope in dependencyManagement of BOM #3373

merged 2 commits into from
Jul 18, 2020

Conversation

amr
Copy link
Contributor

@amr amr commented Jul 17, 2020
edited
Loading

<dependencyManagement> is commonly used for locking down the version of a dependency, not its scope. Doing that breaks the scope of transitive dependencies and is very hard to troubleshoot.

Problem:

I've a dependency in my project:

<dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-core</artifactId>
    <version>${keycloak.version}</version>
</dependency>

keycloak-core's pom.xml has the following compile dependency:

<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcprov-jdk15on</artifactId>
    <version>${bouncycastle.version}</version>
</dependency>

With dropwizard-dependencies BOM in my project, here is how keycloak-core looks like in the output of maven dependency tree:

[INFO] +- org.keycloak:keycloak-core:jar:8.0.2:compile
[INFO] | +- org.keycloak:keycloak-common:jar:8.0.2:compile
[INFO] | \- org.bouncycastle:bcprov-jdk15on:jar:1.65.01:test

(edited for brevity)

The problem is in the last line, the bouncy castle dependency got its scope changed to test, because dropwizard-dependency's <dependencyManagement> section specifies a <scope> for the bouncy castle artifact which takes precedence and converts all transitive dependencies on that artifact to the test scope. I believe the intention here was to lock down transitive dependencies versions not scopes. The scope is always specified alongside the <dependency> declaration in the actual <dependencies> anyway.

Solution:

Remove <scope> declaration from <dependencyManagement>.

Result:

Avoid surprises during builds. The BOM is intended to lock versions not scopes.

amr and others added 2 commits July 17, 2020 10:10
@amr
Don't specify scope in <dependencyManagement>
93e0563 
<dependencyManagement> is used for locking down the version of a dependency, not its scope. Doing that breaks the scope of transitive dependencies.
@joschi
Remove scope from Jetty-dependencies too
0678b58
@joschi joschi added this to the 2.0.12 milestone Jul 18, 2020
@joschi joschi assigned joschi and amr Jul 18, 2020
joschi
joschi approved these changes Jul 18, 2020
View reviewed changes
Copy link
Member

@joschi joschi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@amr Good catch. Thank you very much!

@joschi joschi changed the title dropwizard-dependencies: Don't specify scope in <dependencyManagement> Don't specify scope in dependencyManagement of BOM Jul 18, 2020
@joschi joschi merged commit 760815c into dropwizard:master Jul 18, 2020
joschi pushed a commit that referenced this pull request Jul 18, 2020
@amr @joschi
Don't specify scope in dependencyManagement of BOM (#3373)
319af02 
Co-authored-by: Jochen Schalanda <jochen@schalanda.name>
(cherry picked from commit 760815c)
@renovate renovate bot mentioned this pull request Sep 12, 2022
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joschi joschi joschi approved these changes

Assignees

@amr amr

@joschi joschi

Labels
improvement
Projects
None yet
Milestone
2.0.12
Development

Successfully merging this pull request may close these issues.
2 participants
@amr @joschi