maven - Maven 执法者是否忽略依赖管理部分？

Question

我在父 pom 的导入的 dependencyManagement 部分中指定了一个库版本。我确认我的有效 pom 只有一次出现这种依赖。它在依赖管理部分:

<dependencyManagement>
    <dependency>
        <groupId>org.javassist</groupId>
        <artifactId>javassist</artifactId>
        <version>[3.18.1-GA]</version>
    </dependency>
</dependencyManagement>

这应该根据它覆盖传递依赖项的版本。安装(并重新安装依赖项以匹配版本边界)后，org.apache.maven.plugins:maven-dependency-plugin:2.8:tree 打印:

org.javassist:javassist:jar:3.18.1-GA:compile (version selected from constraint [3.18.1-GA,3.18.1-GA])

但是(最初，没有重新安装依赖项)enforcer 提示错误的版本:

[WARNING] Rule 1: org.apache.maven.plugins.enforcer.DependencyConvergence failed with message:
Failed while enforcing releasability the error(s) are [
Dependency convergence error for org.javassist:javassist:3.18.2-GA paths to dependency are:
...

并表明第一个传递依赖使用

org.javassist:javassist:3.18.2-GA

这来自依赖，而依赖又依赖于:

<dependencies>
    <dependency>
        <groupId>org.javassist</groupId>
        <artifactId>javassist</artifactId>
        <version>3.18.2-GA</version>
    </dependency>
</dependencies>

和其他用途

org.javassist:javassist:3.18.1-GA

为什么执行器与依赖树不一致？有什么问题？如果我使用版本限制，它们是否会受到尊重，我可以跳过为此目的使用强制执行器吗？

此外，向相关项目模块添加依赖项不会改变任何内容。

Answer 1

Tl;博士 : dependencyManagement覆盖传递依赖的版本

这个答案的所有功劳归功于安迪丹尼，我偶然发现了他的博客文章:
https://www.fizz-buzz.com/blog/2012/08/02/maven-enforcer-plugin-vs-dependencymanagement
dependencyManagement做两件事——一件众所周知，另一件很少被提及。

为子模块/子项目中的依赖项设置默认版本

覆盖传递依赖的版本

所以执行器插件不会忽略 dependencyManagement .但是无法识别差异，因为传递依赖的版本在它开始工作之前就被改变了。 Andy Denny 在他的博客上对如何进行有一个很好的建议:

1. I don’t put dependencies in the dependencyManagement section of my top-level POM. I want to be alerted by maven-enforcer-plugin when I’ve got mismatches. Instead, I use version properties, as mentioned in my approach #1 above.
2. When maven-enforcer-plugin notifies me of discrepancies, I try to see if I can get the artifacts involved to use the same version of the divergent dependency. If all the dependencies involved are in my own artifacts, I try to get them aligned on the same version of the dependency. If some artifacts are mine and some are from 3rd parties, I try to align my dependencies with the 3rd parties, and/or look for other versions of the 3rd party artifacts that have dependency versions that align with each other, and my code.
3. If after doing the above, I still have unresolveable discrepancies, I choose what I think is the “best fit” version of the problematic artifact and specify that in the dependencyManagement section of the project POM where maven-enforcer-plugin reported the problem (not in my top-level POM). I add a comment to the dependency declaration in that POM noting the issue and the workaround, so that in the future, should I upgrade to a newer version of the dependency, I’ll see the note and can revisit whether the discrepancy can possibly then be resolved.

这里的权衡是你有一个有效的执行器插件，可以帮助你解决依赖问题，但必须手动完成更多工作。