search

spring-gradle-plugins / dependency-management-plugin

A Gradle plugin that provides Maven-like dependency management functionality
690 stars 88 forks source link

Transitive platform dependencies may prevent exclusions from being applied #310

Closed akvone closed 1 year ago

akvone commented 3 years ago

We have a project with spring-boot-dependencies:2.4 and excluded transitive dependency (junit):

dependencies {
    implementation('org.apache.xmlrpc:xmlrpc-client')
    implementation('com.fasterxml.jackson.core:jackson-databind')
}

dependencyManagement {
    imports{
        mavenBom("org.springframework.boot:spring-boot-dependencies:2.4.4")
    }
    dependencies {
        dependency('org.apache.xmlrpc:xmlrpc-client:3.1.3') {
            exclude 'junit:junit'
        }
    }
}

When we tried to bump a version to spring-boot-dependencies:2.5 the junit appeared again. It turned out that spring-boot-dependencies:2.5 brings jackson dependencies with version 2.12 instead of 2.11 which in turn started to publish Gradle metadata which brings Jackson platform (jackson-bom). The platform controls junit and this disables our exclusion.

The same behavior appears if we just use jackson dependency with version 2.12 or if we use jackson-bom platform.

After reading the Gradle documentation and some existing issues we found a solution: we also exclude junit from the platform:

dependencyManagement {
    imports{
        mavenBom("org.springframework.boot:spring-boot-dependencies:2.5.4")
    }
    dependencies {
        dependency('org.apache.xmlrpc:xmlrpc-client:3.1.3') {
            exclude 'junit:junit'
        }
        dependency('com.fasterxml.jackson:jackson-bom:2.12.4'){
            exclude 'junit:junit'
        }
    }
}

The question is: Do we use the correct way to handle such logic? And could the documentation contain a warning about this case?

akvone commented 3 years ago

We use gradle dependencies --configuration=runtimeClasspath to see the classpath

wilkinsona commented 3 years ago

I am surprised that JUnit appearing in Jackson's bom (which should only affect its version if it already appears in the dependency graph) prevented its exclusion. It would appear that the appearance of the dependency constraints in the resolution result is confusing the algorithm that determines the dependencies that should be excluded. I think it probably needs to be updated to ignore dependencies where the selected variant's org.gradle.category attribute has a value of platform.

In the meantime, your workaround is a good temporary solution.

akvone commented 3 years ago

Got it, thank you.