How transitive dependency work for second level dependency

Question

I have following dependency tree.

[INFO] +- net.sf.jasperreports:jasperreports:jar:6.5.1:compile
[INFO] |  +- org.eclipse.jdt.core.compiler:ecj:jar:4.4.2:compile
[INFO] |  +- org.codehaus.castor:castor-xml:jar:1.3.3:compile
[INFO] |  |  +- org.codehaus.castor:castor-core:jar:1.3.3:compile
[INFO] |  |  +- commons-lang:commons-lang:jar:2.6:compile

When I add dependency "commons-lang" as top level dependency in the pom file it automatically removes the transitive dependency for common-lang even without exclude it from pom file.

[INFO] +- net.sf.jasperreports:jasperreports:jar:6.5.1:compile
[INFO] |  +- org.eclipse.jdt.core.compiler:ecj:jar:4.4.2:compile
[INFO] |  +- org.codehaus.castor:castor-xml:jar:1.3.3:compile
[INFO] |  |  +- org.codehaus.castor:castor-core:jar:1.3.3:compile
[INFO] |  |  +- javax.inject:javax.inject:jar:1:compile

What is expected is it should exclude common-lang when we exclude it from jasperreports.

This is strange and should not happen. – J Fabian Meier Jun 21 '19 at 11:07 — J Fabian Meier, Jun 21 '19 at 11:07

camtastic · Answer 1 · 2019-06-21T17:04:19.387

When a dependency is declared in your projects pom maven will use that declaration instead of the transitive dependency.

Omitted dependencies are not displayed in the maven dependency tree, and I just learned that since maven-dependency-plugin version 3.0 the verbose option is no longer supported - which would show the omitted dependency.

I see this when I tried to provide -Dverbose option at maven command line (for "mvn dependency:tree -Dverbose=true"):

 Verbose not supported since maven-dependency-plugin 3.0

See comments on answer in Display omitted versions in maven dependency:tree?

score 0 · Accepted Answer · answered Jun 22 '19 at 04:33

Dependency Mediation is the rule which you are talking about. It is one of the rule which maven follows to manage transitive dependencies.

It will put commons-lang in the dependency tree according to its nearest definition in the pom.

You can read about all the rules here :
https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html

So to quote them :

Dependency mediation - this determines what version of an artifact will be chosen when multiple versions are encountered as dependencies. Maven picks the "nearest definition". That is, it uses the version of the closest dependency to your project in the tree of dependencies. You can always guarantee a version by declaring it explicitly in your project's POM.

And the dependency of commons-lang is never removed, its place in the transitive tree has changed. Now it has become a Level 1 dependency.

[INFO] +- commons-lang:commons-lang:jar:2.6:compile
[INFO] \- net.sf.jasperreports:jasperreports:jar:6.5.1:compile
[INFO]    +- org.eclipse.jdt.core.compiler:ecj:jar:4.4.2:compile
[INFO]    +- org.codehaus.castor:castor-xml:jar:1.3.3:compile
[INFO]    |  +- org.codehaus.castor:castor-core:jar:1.3.3:compile
[INFO]    |  +- javax.inject:javax.inject:jar:1:compile
[INFO]    |  +- stax:stax:jar:1.2.0:compile
[INFO]    |  |  \- stax:stax-api:jar:1.0.1:compile
[INFO]    |  \- javax.xml.stream:stax-api:jar:1.0-2:compile
[INFO]    +- com.fasterxml.jackson.core:jackson-core:jar:2.1.4:compile

Do we still need to exclude commons-lang from jasperreports? — abo, Jun 24 '19 at 05:58

How transitive dependency work for second level dependency

2 Answers2