I have a maven project with some dependencies. Some of them have transitive dependencies which depend on, say, some jar A. I want to exclude this jar. Okay, I can add exclusions to every dependency which itself depends on A. But its a bit tedious. Is there any way to put this exclusion in one place in a maven project configuration?
Use a parent pom where you have <dependencyManagement/>. Then extend this parent in your POM files.
Alternatively, if it's one project that contains all these dependencies and they contain a transitive dependency with multiple versions on the dependency tree, define that dependency explicitly in your POM file and this will override the transitive versions.
See my explanations here for a similar question.
OKay, it looks like there is no way to do this.
According to documentation
Why exclusions are made on a per-dependency basis, rather than at the POM level
This is mainly done to be sure the dependency graph is predictable,
and to keep inheritance effects from excluding a dependency that
should not be excluded. If you get to the method of last resort and
have to put in an exclusion, you should be absolutely certain which of
your dependencies is bringing in that unwanted transitive dependency.
Related
I want to update this package's version, but I didn't find this package in my pom file under root directory
How can I update this package's version? Do I need to do it directly in the pom file under the Maven package?
This is my dependency tree, and I want to upgrade to 1.31
If you don’t use it directly, then it is coming from one of your dependencies. You can check which one using
mvn dependency:tree
With IntelliJ IDEA, you can also open the Maven view, then right-click the project and select “Analyze Dependencies…” to get the same information.
Ideally, you should keep it as a transitive dependency, otherwise you will have to take care of its upgrade every time you upgrade the library that actually depends on it. Moreover, there can be issues if you upgrade only the transitive dependency and not the intermediate one (e.g. for Spring).
The best solution would thus be to upgrade that intermediate dependency, assuming that they have released a new version of it (SnakeYAML 1.29 being affected by CVE-2022-25857, there are good chances).
Only if you can’t do that, you should add the dependency in the <dependencyManagement> section of your pom.xml, but don’t forget tot maintain it from now on (and remove it once the intermediate dependency is upgraded).
If you can't find it in your pom then it means it's a transitive dependency pulled in by one of your other dependencies. You can just redefine this as a normal dependency in your pom and it will override the version to be whatever you like.
I am looking for a way to test whether or not any of my explicit dependencies in my pom.xml reference/include any of the same transitive dependencies. For example, if dependency-A includes junit.jupiter and dependency-B also includes junit.jupiter, I want a way to see this so that I can exclude it from one of them to prevent conflicts.
I saw through this link that you can use mvn dependency:tree to essentially show all dependencies and their transitive dependencies, but it prints in a fairly unreadable format and it isn't clear through that output what the source of each transitive dependency is.
Note that if dependency-A uses junit.jupiter and dependency-B uses junit.jupiter, then only one of these dependencies will be included. Maven will not include the same dependency twice.
What can be tricky, though, is the resulting version. Maven takes the "nearest" element, not the highest version. If you want to notice if you have conflicting versions, I recommend the "dependency convergence" rule of the maven enforcer rules.
If you want to choose one version for junit.jupiter, add an entry to <dependencyManagement> in your POM.
Is there a way to specify private dependency for a project that will not be visible to others?
What I'm trying to achieve is pretty much similar to what exclusion does, but with one slight difference - user should not be aware of that dependency at all and, thus, won't have to use this exclusion explicitly.
And if this is not possible (which, most likely, is true), then is there any particular reason why?
Optional dependencies sound like what you want. Mark a dependency as optional and you'll have it when you build, but users won't automatically have that library included as a transitive dependency.
See Maven - Optional Dependencies and Dependency Exclusions for more details.
'provided' is not the ideal solution here; that means that a dependency is required, but that it will be provided by any user of your artifact. 'optional' means that the dependency is only required for some functionality.
I want to you use a class 'javax.xml.stream.XMLOutputFactory' in code.
The class (XMLOutputFactory) is available in more than one jars of library which got included as maven dependencies.
Problem : The class(XMLOutputFactory) is loading from the jar file while i am expecting to load from other jar.
Is there any solution to customize the loading of a class from the specific jar file.
Not on the java side (or maybe by implementing a new classloader but that is not a reasonable solution to your problem).
You should probably just exclude the dependencies (versions) you don't want in your pom file.
Since maven 2.0.9 the classpath is generated according dependencies declaration in pom.xml.
From maven site:
Note that if two dependency versions are at the same depth in the dependency tree, until Maven 2.0.8 it was not defined which one would win, but since Maven 2.0.9 it's the order in the declaration that counts: the first declaration wins.
So you can solve your problem if you take care of dependencies ordering in your pom.xml
I'm not sure whether the title makes a whole lot of sense and whether this post already answers my question, but here it is:
We have a multi-module project. As you would expect this projects has a combination of internal and third party dependencies. For the third party dependencies we define these in the dependency management section of our parent POM so that we can manage the versions of these dependencies in a single common place.
As for inter-project (internal) dependencies, so far we've just entered the versions within each modules POM where a dependency is required. Then when doing a prepare with the release plugin, these versions are updated appropriately - all very nice.
What we want, like with the third party dependencies, is to be able to specify the internal dependency versions in the parent POM and therefore have a single common place. I see three potential approaches.
We do this by creating a property in the parent POM.
We do it via the dependency management section in the parent POM.
We use the project version property as the dependency version.
The preference would be to use one of the first two approaches, though there isn't really a strong reason for this. This leads me onto the main concern and question: If we use either of the first two approaches, will the release plugin still update the dependency version during the prepare stage?
All thoughts/feedback appreciated.
In the end we used the project.version property to help manage this. However, from what I understand, I believe using the dependency management section in the parent POM would also work.