Maven pulling in older version than specified in pom.xml

Question

I have an existing Project X that I'm adding the AWS SDK to, but for some reason it tries to use an old version of Apache Commons httpclient and blows up.

Project X already required httpclient in its pom.xml without a version, and the AWS SDK v1.11.52 specifies httpclient v4.5.2 as a dependency. Since there was no version I set the version as 4.5.2 in Project X's pom.xml. This compiles successfully, but when I try to use the code in a JSP page hosted by Tomcat I get this error:

HTTP Status 500 - Handler processing failed; nested exception is java.lang.NoSuchMethodError: org.apache.http.conn.ssl.SSLConnectionSocketFactory.<init>(Ljavax/net/ssl/SSLContext;Ljavax/net/ssl/HostnameVerifier;)V

Looking at the lib directory in Tomcat, I see the jar for httpclient v4.3 is there. I confirmed the constructor in the error doesn't exist in v4.3, but does exist in v4.5.2.

I made sure to use mvn clean, clear my classpath file, and also tried deleting ~/.m2, but when I rebuild the project, v4.3 of httpclient is still pulled in. I am not using an IDE, just Maven. I have checked the project to make sure there's no mention of v4.3 anywhere so I don't understand why this is happening.

I checked my dependency information with mvn depdency:tree -Dverbose. Here is the relevant portion, httpclient is not mentioned anywhere else:

[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.2:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.3:compile (version managed from 4.4.4)
[INFO] |  +- commons-logging:commons-logging:jar:1.1.3:compile (version managed from 1.2)
[INFO] |  \- commons-codec:commons-codec:jar:1.9:compile
...
[INFO] |  +- com.amazonaws:aws-java-sdk-core:jar:1.11.52:compile
[INFO] |  |  +- (commons-logging:commons-logging:jar:1.1.3:compile - version managed from 1.2; omitted for duplicate)
[INFO] |  |  +- (org.apache.httpcomponents:httpclient:jar:4.3:compile - version managed from 4.5.2; omitted for conflict with 4.5.2)

Why is a version not mentioned in any of my pom.xml files being pulled in? Can I get maven to explain version managed in more detail? Most importantly, is there a way I can force the version number of my dependency?

---

Update: The issue was that the old version was included in the parent pom; I missed this and couldn't figure it out from the dependency:tree output. Updating the parent pom solved the issue. Sorry for the false alarm.

Answer 1

If there is no direct dependency, but there are only indirect dependencies, Maven will choose the first it finds, and that purely depends on the order of your complete dependency tree. You can force the version to be the one you want, by:

• add a direct dependency in your pom
• add the dependency in the dependencyManagement part (see: https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Management ) to make sure (when it's needed) Maven will select the right ones.

Side note: Maybe you want to update versions of some indirect dependencies of httpclient as well the same way if you bump into other problems.

If you want to read more, pls have a look at this post. A LOT of information is explained here: How do I tell Maven to use the latest version of a dependency?