19

I ran into an issue compile a jar with many dependencies, in particular overlapping versions of snakeyaml (we need 1.11, some dependency was pulling in 1.9). We ran mvn dependency:tree but we did not see the offending secondary version in any of the output. On further inspection, is was jruby-complete that was then pulling in snakeyaml. Why didn't mvn dependency:tree show us this level of drill down:

[INFO] |     |  +- org.apache.hbase:hbase-it:jar:0.98.6-cdh5.2.5:compile
[INFO] |     |  |  +- (org.apache.hbase:hbase-common:jar:0.98.6-cdh5.2.5:compile - omitted for duplicate)
[INFO] |     |  |  +- (org.apache.hbase:hbase-protocol:jar:0.98.6-cdh5.2.5:compile - omitted for duplicate)
[INFO] |     |  |  +- (org.apache.hbase:hbase-client:jar:0.98.6-cdh5.2.5:compile - omitted for duplicate)
[INFO] |     |  |  +- org.apache.hbase:hbase-shell:jar:0.98.6-cdh5.2.5:compile
[INFO] |     |  |  |  +- (org.apache.hbase:hbase-common:jar:0.98.6-cdh5.2.5:compile - omitted for duplicate)
[INFO] |     |  |  |  +- (org.apache.hbase:hbase-protocol:jar:0.98.6-cdh5.2.5:compile - omitted for duplicate)
[INFO] |     |  |  |  +- (org.apache.hbase:hbase-client:jar:0.98.6-cdh5.2.5:compile - omitted for duplicate)
[INFO] |     |  |  |  +- (org.apache.hbase:hbase-prefix-tree:jar:0.98.6-cdh5.2.5:runtime - omitted for duplicate)
[INFO] |     |  |  |  +- (org.apache.hbase:hbase-server:jar:0.98.6-cdh5.2.5:compile - omitted for duplicate)
[INFO] |     |  |  |  +- (org.apache.hbase:hbase-hadoop-compat:jar:0.98.6-cdh5.2.5:compile - omitted for duplicate)
[INFO] |     |  |  |  +- (org.apache.hbase:hbase-hadoop2-compat:jar:0.98.6-cdh5.2.5:compile - omitted for duplicate)
[INFO] |     |  |  |  +- (com.yammer.metrics:metrics-core:jar:2.2.0:compile - omitted for duplicate)
[INFO] |     |  |  |  +- (commons-logging:commons-logging:jar:1.1.1:compile - omitted for conflict with 1.2)
[INFO] |     |  |  |  +- org.jruby:jruby-complete:jar:1.6.8:compile
                              >>>>>>> WHY ARE THERE NO DEPENDENCIES HERE? >>>>>>>>>
[INFO] |     |  |  |  +- (org.cloudera.htrace:htrace-core:jar:2.04:compile - omitted for duplicate)
[INFO] |     |  |  |  +- (org.apache.hadoop:hadoop-common:jar:2.5.0-cdh5.2.5:compile - omitted for duplicate)

Why wasn't the dependencies of jruby-complete listed in the tree? Does mvn dependency:tree only gfo to a certain depth? What are the rules here? If mvn dependency:tree had simply shown us its snakeyaml dependency we could have saved a couple hours of complex debugging.

David Williams
  • 8,388
  • 23
  • 83
  • 171

1 Answers1

15

I believe this forum topic would answer your question. The dependency tree mojo prunes lower level dependencies if the dependency is already present higher in the tree. That means that all of jruby-complete's dependencies (if it has any) are listed at a shallower depth in the tree. You can use the verbose flag (-Dverbose) to show the ommitted dependencies.

Samuel
  • 16,923
  • 6
  • 62
  • 75
  • So in this case, that would imply that the versions of the dependencies are not taken into account for the deduplication. Is that your understanding as well? – David Williams Mar 17 '16 at 03:25
  • That's probably the case. It's a bit hard to say which dependency is used because you could have the same dependency at the same depth in the tree, and at that point I couldn't say which would be used. I've always relied on Maven's M2E visualizations of the dependency hierarchy because it will show you the entire tree and omissions. You can see all the implicit dependencies as a list, click any one of them and it'll show you all the dependencies that depend on it, and the omissions. Works really well for me. – Samuel Mar 18 '16 at 00:18
  • So how to see a used dependency I mean them which finally will be in a fat jar – K2mil J33 Dec 27 '19 at 15:43
  • As it seems, `-Dverbose` does not work together with `-DoutputType=dot`. Come on Maven, all I wanted was a graphical representation of my dependencies... – mihca Jun 23 '21 at 13:47
  • 3
    Verbose not supported since maven-dependency-plugin 3.0 – Xdg Aug 04 '21 at 05:17
  • Verbose supported *again* in `3.3` – dpozinen Feb 07 '23 at 13:05