I know maven dependencies have different scopes.
But what is Managed Dependencies?
The dependency you are looking at is not a jar file but a pom.xml that is meant to be used as "bom" (bill of materials). It contains the preferred versions of dependencies, so you would not need to inherit from that parent pom to use those version numbers but you can import them. See BOM section in the introduction: https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#bill-of-materials-bom-poms
if you look into that pom.xml file: https://search.maven.org/artifact/org.apache.logging.log4j/log4j/2.13.3/pom you will see the dependencyManagegement section. If you import that pom that section is added to your own dependencyManagement secion (sort of). Its not dependencies yet, just preferred versions.
these kind of dependencies can only be added into the dependencyManagement section of the pom.xml - I assume the gradle dependency resolution follows that behaviour but I'm not sure about that, bom support took a while in gradle to be supported.
Related
I create an kotlin library and published into maven central.
However, if this library is used by pure java project, user must add the dependency “kotlin-stdlib” explicitly.
It looks like that the “koitlin-stdlib” is automatically excluded from grade/maven dependency tree because it is treated as provided dependency.
How to resolve this problem?
In gradle you can add
dependencies {
implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk8:$kotlin_version"
}
The generated pom.xml should contain this dependency.
See:
https://mvnrepository.com/artifact/io.github.ragin-lundf/bdd-cucumber-gherkin-lib/1.48.0
-> under runtime dependencies
https://github.com/Ragin-LundF/bbd-cucumber-gherkin-lib/blob/main/build.gradle
-> as an example how to generate the pom for publishing to maven central in gradle
I find the reason.
implemetation(kotlin("reflect"))
is not OK,
api(kotlin("reflect"))
must be used.
I have a graph with 40K artifacts and I can list all possible dependencies of a package (I do so by parsing a list of effective poms)
For example, I have the following for this package:
There's 2 dependencies without taking in mind different versions.
I would like to show that this results are valid by showing that maven also lists these dependencies for this package. But when I use mvn dependency:tree after I add the com.google.guava:guava:14.0.1, I get no dependencies listed.
This is the pom file of the package:
It clearly has those 2 dependencies, but their scopes are provided. Even if I use -Dinclude=provided or -Dscope=provided as a parameter, I still cannot list them.
So, how do I list all dependencies of a package no matter the scope used?
Use Analyze Dependencies... action in the Maven tool window:
It will show the list of dependencies in the project with their scopes and usages in project:
Scope provided means it's provided at runtime, which implies that it's not a package dependency:
A dependency with this scope is added to the classpath used for compilation and test, but not the runtime classpath. It is not transitive.
maven allows you to define in pom file:
(A) dependencies -> the actual direct dependencies of the project
(B) dependencyManagement/dependencies -> managed dependencies that affect dependencies of category (A) with undefined version and transitive dependencies.
If I put wrong/unknown artifact on category A - maven will surely fail.
If I put wrong/unknown artifact on category B - maven will fail only if it affects category A (for instance, A defines dep on foo:bar and B defines dep on foo:bar:<unknown-version>.
I wonder if there is any existing plugin that will allow me to verify all managed deps (category B) - make sure they actually exist.
I have 1 global pom project with deps management that serves multiple projects and I want to verify any change to the deps in the CI before uploading new version to remote repository
In maven dependency plugin there is goal dependency:analyze-dep-mgt. You may use it to check dependencies in dependencyManagement section of your pom.xml.
If you need deeper control or more functionality, options would be to create your own plugin or have a dummy project which would use all your managed dependencies (although I should say this is a cumbersome solution).
I am a newbie of Maven, currently reading Hadoop source code, and found something interesting in some pom.xml files:
Some of the dependency node do not contain version node at all.
Question: why is it like this?
for instance, this pom.xml.
Because specific version of dependency in parent pom.xml file
https://github.com/apache/hadoop/blob/trunk/pom.xml
Reference: https://maven.apache.org/guides/introduction/introduction-to-the-pom.html
As I commented at first, a pom file can have a parent (via inheritance) and such a parent may provide some governance and harmonization across all of its children. A classic case is to provide versioning for certain dependencies via a dependencyManagement section.
is used by POMs to help manage dependency information across all of its children. If the my-parent project uses dependencyManagement to define a dependency on junit:junit:4.0, then POMs inheriting from this one can set their dependency giving the groupId=junit and artifactId=junit only, then Maven will fill in the version set by the parent. The benefits of this method are obvious. Dependency details can be set in one central location, which will propagate to all inheriting POMs.
The mentioned pom has indeed a parent pom:
<parent>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-project-dist</artifactId>
<version>3.0.0-SNAPSHOT</version>
<relativePath>../../hadoop-project-dist</relativePath>
</parent>
Which in chain has another parent pom file which defines several dependencies as part of its dependencies management section.
If you really want to check the effective (merged) pom your build is using, you could run:
mvn help:effective-pom -Doutput=effective-pom.xml
And the maven-help-plugin will produce an additional pom as specified by the command above, merging the current pom file and all of its anchestors.
In Maven you can inherit from parents folder in order to merge or inherit some properties. This can be the version of the modules. Usually you have a "super" POM in the root folder of your project and you put there all the commons dependencies in order to controll them in an easier way. I.e. If you must change one module version, you only need to change in the "super" POM and not in each POM inside each subfolder that need it. If you need more information about POM inheritance the documentation has a couple of useful examples.
https://maven.apache.org/guides/introduction/introduction-to-the-pom.html#Project_Inheritance
I have a library i share on jcenter for maven and gradle users to add to their dependencies. This library uses some common stuff like gson, guava, etc. It is part of a large multi-module project but i only deploy the one child module to the repositories. The complete parent pom.xml is here:
https://github.com/bsautner/com.nimbits/blob/master/pom.xml
The child pom that results in the library's pom is here:
https://github.com/bsautner/com.nimbits/blob/master/nimbits_io/pom.xml
The child pom has dependencies like this:
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>19.0</version>
</dependency>
Pretty standard. When I import my library into an android project (gradle in this case) I need to include a transitive=false like this:
compile ('com.nimbits:nimbits_io:3.9.47') {
transitive = false
}
If I don't do this, android builds fail with many errors like this one:
Error:Gradle: Execution failed for task
':app:packageAllDebugClassesForMultiDex'.
java.util.zip.ZipException: duplicate entry: org/slf4j/impl/StaticLoggerBinder.class
My understanding is that my jar has duplicate dependencies already in the android project.
I don't get what i'm doing wrong, and why i need to use that flag. If i set these dependencies as "provided" I'd need my users to add my libraries to their dependencies. How do I share a library with dependencies without causing duplicate errors with the user. No other libraries require this flag, so i must be doing something wrong