-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Version Resolution is wrong in some cases when a dependency uses dependencyManagement in it's pom.xml #1812
Comments
This is a limitation in how we currently treat BOMs (we only apply them to the direct dependencies of a module). Instead, we should add the management section of the BOM as constraints on the module that imports that BOM. |
There are 2 issues here:
We are working to improve things in this space, but our aim is not to perfectly replicate the Maven resolution behaviour. |
Edited title to reflect required change to current Gradle behavior with |
This feature will be part of the BOM support in Gradle 5.0 - see #4422 for details |
This will be available in Gradle 5.0 through |
I don't see how this issue has been fixed with Gradle 5.x - it still exists. I have a Gradle build script that lists a couple of Maven artifacts. The script has a Copy task that copies all the direct and transitive dependencies to the folder "deps". The situation here is the same as in the original issue description, i.e. I get artifact D in version 2 instead of version 1. |
BTW, the original title of the issue as reported by @ptriller was "Version Resolution is wrong in some cases when a dependency uses dependencyManagement in it's pom.xml". For reasons I don't know it has been modified (by @oehme, and then by @ljacomet ). The new title, "Allow importing BOMs as force constraints", has nothing to do with the actual issue. Misunderstanding? |
You're right, this was misclassified. However, the original issue is not correct either - Maven behaves exactly the same if you have a dependency chain like that. |
I haven't checked the attached project, but I have encountered this exact problem in our environment, where the setup is exactly as described by the ticket author. Gradle and Maven definitely behave differently here, and the Maven behavior is the correct one. The concrete situation is:
Thus Next I created a new Maven artifact (let's call it Finally I created a Gradle build script that corresponds to the
Now, when I invoke |
Can you create a full reproducible project, including the Maven and Gradle example, please? |
Yes, but that will take a while. |
That's a different issue - The original reporter had no direct dependency on project In your case Gradle and Maven differ indeed and this is expected behavior, as Gradle does not use the "just use the first version you see" strategy that Maven uses, but instead considers all versions and does proper conflict resolution. Since one module in the graph requires 1.3.4 and the other 1.3.3, we pick 1.3.4 since it is likely compatible. You can adjust this using We won't change our resolution engine to be exactly like Maven, because we want to support other systems as well. |
@oehme: Can you tell me how the resolution strategy can be configured to enforce the Maven behavior? The Maven |
This is not how Gradle works. demo-artifact can't control the version of
There is no overruling here, just two competing dependencies and Gradle chooses the one that it is more likely to work.
You can't, because Maven's model inherently relies on the order of dependency declarations and just uses the first version it sees, which is a pretty broken strategy that we don't support. Instead Gradle considers all version declarations and conflict resolves them. If the resolution that Gradle picks is not what you'd like, you can use the resolutionStrategy or a force rule to fix it up. |
That won't work in our case. I'm afraid we can't use Gradle then. :( We need a tool that downloads all the effective dependencies that are actually used by our base technology artifacts, not the ones that Gradle thinks work better (and which, in this case, is obviously the wrong decision). Thanks for clarifying though. |
If you need such a strong contract, have a look at defining and consuming a Maven BOM with the |
Hmm ... I'm not sure how the use of But this whole discussion is beginning to make me wonder if there really is a "correct" way to handle this requirement. It would probably be more reasonable to deal with one base artifact at a time instead of processing the whole bunch in one script, as we can never know in which order the base artifacts will be referenced by a product. |
Defining a BOM would help in having a centralized source for the versions of the dependencies to be used by your product / platform. |
We do have a BOM. However, sometimes artifacts must override transitive dependencies introduced by the BOM. Anyway, this is a problem I will have to solve. Thanks to both of you for your support! :) 👍 |
In some cases when a dependency is included transitively and a dependencyManagement section changes the version in another pom, then gradle resolves the resulting Version differently from Maven
Example:
Project A has a dependency to artifact D in version 2
Project B has a dependency to the Artifact from Project A and a dependencyManagement of Artifact D to version 1 (in it's pom.xml)
Project C has a dependency to the Artifact of Project B.
If you do this with maven, then Project C has a transitive dependency to D in version 1
If you do it with gradle then Project C has a transitive dependency to D in version 2
I expected the versions to be the same. In my eyes the Maven behavior makes more sense.
To reproduce see this simple test setup:
https://github.com/ptriller/gradle-bugreport
The text was updated successfully, but these errors were encountered: