Skip to content

Fix for #408, ensure nested dependency exclusions aren't overrided #485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 16 commits into
base: master
Choose a base branch
from
Open

Fix for #408, ensure nested dependency exclusions aren't overrided #485

wants to merge 16 commits into from

Conversation

@treilhes
Copy link

@treilhes treilhes commented Sep 24, 2025

Hi,

This PR try to solve #408, dependencies are present in the flattened POM even when excluded in a nested dependency of a project.

From my understanding the issue comes from

flatten-maven-plugin/src/main/java/org/codehaus/mojo/flatten/FlattenMojo.java

Line 1126 in 75a3989

for (Artifact artifact : project.getArtifacts()) {

project.getArtifacts() returns all project's resolved artifacts which is ok but using those artifacts as dependencies in the CollectRequest transforms those dependencies as if they were direct ones and by doing so removes any exclusions that may have been set in the nested dependency POM.

I think projectDependencies and managedDependencies are sufficient so the whole loop is unnecessary and can be safely removed:

for (Artifact artifact : project.getArtifacts()) {
    collectRequest.addDependency(RepositoryUtils.toDependency(artifact, null));
}

As I'm not familiar with all the ins and outs of this project i'm not 100% sure of my analysis so please take this removal with caution

A unit test has been added demonstrating the case.
Don't hesitate to request changes if needed

@slachiewicz slachiewicz requested a review from Copilot October 5, 2025 19:44

This comment was marked as resolved.

Sign in to view

@treilhes
Copy link
Author

treilhes commented Oct 6, 2025

Contrary to my first assumption it is necessary to provide project dependencies to the collect request but using project.getDependencies() allows providing only direct dependencies instead of also providing transitive ones.
By doing so the collect request will handle the transitive exclusions as expected

@treilhes

This comment has been minimized.

Sign in to view
@treilhes
Copy link
Author

treilhes commented Oct 27, 2025

Don't merge this PR yet, it causes a regression on maven dependency version resolution.
Issue is under analysis

@slawekjaranowski slawekjaranowski marked this pull request as draft October 27, 2025 19:59
@treilhes treilhes marked this pull request as ready for review October 28, 2025 01:55
@treilhes
Copy link
Author

treilhes commented Oct 28, 2025
edited
Loading

A word about the last commit (5b9a7e2)

It is a workaround to the maven issue apache/maven#7682

This issue was already raised (#185) and solved (#307) by @suztomo in a previous version
Moving from a ProjectBuildingRequest to a CollectRequest did reintroduce the issue but it was still hidden because the plugin was using the first processed dependency instead of using the conflict winner.

To ensure test dependencies did not override runtime dependencies this commit removes them from the collected dependencies and relaunch the conflict resolution process.
By doing so, the real winners between runtime only dependencies are used in the flattened pom

@treilhes

This comment has been minimized.

Sign in to view
@treilhes

This comment has been minimized.

Sign in to view
@slachiewicz slachiewicz requested a review from Copilot November 8, 2025 03:42

This comment was marked as resolved.

Sign in to view

treilhes and others added 7 commits November 8, 2025 15:14
@treilhes
Update src/test/java/org/codehaus/mojo/flatten/FlattenMojoNestedExclu…
4fae9e1 
…sionTest.java

Co-authored-by: Copilot <[email protected]>
@treilhes
Update src/test/java/org/codehaus/mojo/flatten/FlattenMojoConflictWin…
7b768d7 
…nerTest.java

Co-authored-by: Copilot <[email protected]>
@treilhes
Update src/main/java/org/codehaus/mojo/flatten/FlattenMojo.java
6fe45a6 
Co-authored-by: Copilot <[email protected]>
@treilhes
Update src/main/java/org/codehaus/mojo/flatten/FlattenMojo.java
6e914f0 
Co-authored-by: Copilot <[email protected]>
@treilhes
Update src/main/java/org/codehaus/mojo/flatten/FlattenMojo.java
ce21acc 
Co-authored-by: Copilot <[email protected]>
@treilhes
Update src/main/java/org/codehaus/mojo/flatten/FlattenMojo.java
4a90434 
Co-authored-by: Copilot <[email protected]>
@treilhes
removed loop on projectDependencies as it does not contains profile deps
111a5d4 
project.getDependencies does contains profile deps
@treilhes
Copy link
Author

treilhes commented Nov 8, 2025

Hello @slawekjaranowski, @slachiewicz,
Copilot suggestions included except one (you can see why in commit message or copilot conversation)
Ready for a new round of build

@treilhes
Copy link
Author

treilhes commented Nov 22, 2025

Hello @slawekjaranowski, @slachiewicz,
Seems ok, do you have any additional requirements ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@treilhes