1

Our warfile contains not the expected SNAPSHOT-Version of a jarfile, it contains an older release version via another dependency.

Simplified dependency:tree

war-x.x.x-SNAPSHOT
\- jar1-x.x.x-SNAPSHOT
   +- jar2-x.x.x
   |  +- problemjar-x.x.x
   +- jar3-x.x.x-SNAPSHOT

jar3-x.x.x-SNAPSHOT has a dependency "problemjar-x.x.y-SNAPSHOT" (newer version), but the war project build (and the dependency:tree) contains "problemjar-x.x.x" from "jar2-x.x.x".

For now, we "exclude" "problemjar-x.x.x" for "jar2-x.x.x".

But it would be nice to know the reason for this behaviour, IMHO the exclusion is just a workaround.

Notes:

  • The dependency "problemjar-x.x.y-SNAPSHOT" in "jar3-x.x.x-SNAPSHOT" is not "provided".
  • The Maven version is 3.2.5
  • The levels in the simplified dependency:tree above are correct, so the path to the older version is not shorter than the path to the newer SNAPSHOT version

edit: project structure

war and jar1 are children of one parent pom, the simplified dependency:tree is from the war project which has the jar1 project as a dependency. The others are normal/external dependencies, which applies to jar1 too as seen from the war project.

Gunnar
  • 383
  • 4
  • 18
  • Are those dependencies of the WAR build within the same build( Multi module) or coming from other builds? – khmarbaise Jun 20 '18 at 10:37
  • sorry, comment was wrong, no parent-child relation, war and jar1 are on the same level (children of multimodule). The rest are "normal" external dependencies. – Gunnar Jun 20 '18 at 10:55
  • It does not matter if they are coming from the same level or not..important is if they are within the same reactor (multi module build) if correctly referenced this can not happen only if you do things wrong... – khmarbaise Jun 20 '18 at 15:19

2 Answers2

3

Maven does not take the newest version from the dependency tree.

It takes the nearest version, and in your case this is the first it encounters.

If you want to force Maven to take a specific version, it is better to use <dependencyManagement> instead of exclusions.

J Fabian Meier
  • 33,516
  • 10
  • 64
  • 142
  • I don't think so, or can you point me to a corresponding original detail documentation? Imagine how many "exclusions" you'd have to write (or a "correct dependency order"), regarding one simple module with X external dependencies that use various versions of another external dependency. – Gunnar Jun 20 '18 at 11:25
  • Look up "dependency mediation" in https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html, and also consider https://stackoverflow.com/questions/34201120/maven-set-dependency-mediation-strategy-to-newest-rather-than-nearest – J Fabian Meier Jun 20 '18 at 11:28
  • In our company, we use dependencyManagement _a lot_, because Maven correctly determines groupId/artifactId, but trusting Maven regarding the version is problematic (at least in large projects). – J Fabian Meier Jun 20 '18 at 11:30
  • Thanks for the mediation hint, question answered – Gunnar Jun 20 '18 at 11:33
0

Make sure of the following:

1) Each child module should take it's version from it's parent, i.e. do not have a <version> tag only a <parent> tag that contains a version.

2) When you call the dependency from the same project always do it as follows:

<version>${project.version}</version>
Essex Boy
  • 7,565
  • 2
  • 21
  • 24
  • sorry, comment was wrong, no parent-child relation, war and jar1 are on the same level (children of multimodule). The rest are "normal" external dependencies. – Gunnar Jun 20 '18 at 10:53