search

jbangdev / jbang

Unleash the power of Java - JBang Lets Students, Educators and Professional Developers create, edit and run self-contained source-only Java programs with unprecedented ease.
https://jbang.dev
MIT License
1.41k stars 157 forks source link

`jbang export mavenrepo` generated pom file includes transient dependencies #1091

Open someth2say opened 2 years ago

someth2say commented 2 years ago

Describe the bug A clear and concise description of what the bug is.

The pom file generated by jbang export mavenrepo includes direct and transient dependencies. In maven, dependencies are resolved in inverse order (the last declaration overrides previous ones). If a transient dependency is included after a declared dependency, the transient dependency will override the declared dependency, effectively breaking the dependency tree,

To Reproduce Steps to reproduce the behavior:

  1. Declare a dependency explicitly, p.e. //DEPS com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.13.0
  2. Declare another dependency that transitively depends on a different version of the previous dependency. p.e. //DEPS com.hubspot.jinjava:jinjava:2.6.0, that transitively depends on fasterxml.jackson.dataformat:jackson-dataformat:2.7.9
  3. Generate the pom file with jbang export mavenrepo

Expected behavior The generated effective pom file (or the tree generated by mvn dependency:tree) should include only the declared dependency: com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.13.0. In other words, the transitive dependency fasterxml.jackson.dataformat:jackson-dataformat:2.7.9 should not appear in the generated pom file (or, if it appears, it should be before the declared dependency, so maven version resolution retains the declared dependency).

JBang version 0.83.1

Additional context The same transitive dependencies appear in the .classpath files generated by jbang edit. In this case, the order of dependencies in the .classpath file is the same as the order of declared dependencies in the script. As dependency resolution, in this case, is in order (the first declaration overrides later ones), then the resolution is "correct" (meaning declared dependency is used). .claspath files must include all dependencies, both direct and transitive. I didn´t test, but I suspect this might lead to hairy situations (p.e. when having transitive dependencies before and after a declared dependency).

quintesse commented 2 years ago

@maxandersen won't this be solved by simply only including the dependencies that are explicitly mentioned in all the //DEPS statements? (We could do the resolve solely to check that the dependencies are actually correct, but theoretically we could just copy the //DEPS to the POM, right? Or am I missing something?)

maxandersen commented 1 year ago

correct, we should by default just add the explicit dependencies. leaving out implicit dependencies to be resolved by maven.