-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Transitive platform dependencies may prevent exclusions from being applied #310
Comments
We use |
I am surprised that JUnit appearing in Jackson's bom (which should only affect its version if it already appears in the dependency graph) prevented its exclusion. It would appear that the appearance of the dependency constraints in the resolution result is confusing the algorithm that determines the dependencies that should be excluded. I think it probably needs to be updated to ignore dependencies where the selected variant's In the meantime, your workaround is a good temporary solution. |
Got it, thank you. |
In 3d05983, the fix for gh-310, an attempt was made to prevent dependencies in a transitive platform dependency from stoping exclusions from being applied correctly. Unfortunately, it went to far which led to a dependency's parent pom being excluded. This could cause resolution failures if that parent contained dependency management that was required for the child's dependencies to resolve correctly. This commit reworks that changes so that the platform dependency itself is added to the included nodes but to then stop processing. This prevents the platform dependency itself from being excluded but ensures that any of its dependencies due not influence the application of exclusions. Fixes gh-360
We have a project with
spring-boot-dependencies:2.4
and excluded transitive dependency (junit
):When we tried to bump a version to
spring-boot-dependencies:2.5
thejunit
appeared again.It turned out that
spring-boot-dependencies:2.5
brings jackson dependencies with version 2.12 instead of 2.11 which in turn started to publish Gradle metadata which brings Jackson platform (jackson-bom
). The platform controlsjunit
and this disables our exclusion.The same behavior appears if we just use jackson dependency with version 2.12 or if we use
jackson-bom
platform.After reading the Gradle documentation and some existing issues we found a solution: we also exclude
junit
from the platform:The question is: Do we use the correct way to handle such logic? And could the documentation contain a warning about this case?
The text was updated successfully, but these errors were encountered: