Maven dependency puzzlers

Which jars on the classpath?

After running

$ mvn assembly:single

on myproject's pom.xml
with assembly configuration

<assembly>

  ...

  <dependencySets>
    <dependencySet>
      <outputDirectory/>
    </dependencySet>
  </dependencySets>

</assembly>

Different groupId

<project>
  <artifactId>myproject</artifactId>
  ...
  <dependencies>
    <dependency>
      <groupId>javassist</groupId>
      <artifactId>javassist</artifactId>
      <version>3.12.1.GA</version>
    </dependency>
    <dependency>
      <groupId>org.javassist</groupId>
      <artifactId>javassist</artifactId>
      <version>3.16.1-GA</version>
    </dependency>
  </dependencies>
</project>

Different groupId

Which jars on the classpath?

javassist-3.12.1.GA.jar
javassist-3.16.1-GA.jar
javassist-3.12.1.GA.jar
+ javassist-3.16.1-GA.jar
neither
Maven error
I don't know

Answer different groupId

Which jars on the classpath?

javassist-3.12.1.GA.jar
javassist-3.16.1-GA.jar
javassist-3.12.1.GA.jar
+ javassist-3.16.1-GA.jar
neither
Maven error
I don't know

Workaround different groupId's

Ban outdated GAVs (groupId - artifactId)

Don't depend on them

Exclude them

<dependencies>
  <dependency>
    ...
    <exclusions>
      <exclusion>
        <groupId>javassist</groupId>
        <artifactId>javassist</artifactId>
      </exclusion>
    </exclusions>
  </dependency>
  ...
</dependencies>

Which GAV to choose?
- Search http://search.maven.org/
- GAV with most recent versions

Solution different groupId

Don't change your groupId's or artifactId's

If you do change them,
relocate them in the repository too

<project>
  <modelVersion>4.0.0</modelVersion>
  <groupId>javassist</groupId>
  <artifactId>javassist</artifactId>
  <version>3.16.1-GA</version>
  <distributionManagement>
    <relocation>
      <groupId>org.javassist</groupId>
    </relocation>
  </distributionManagement>
</project>

http://maven.apache.org/guides/mini/guide-relocation.html

meanwhile in Maven Central ...

groupId's of Sun's JAXB implementation

Dependency inheritance

<project>
  <artifactId>myparent</artifactId>...
  <dependencyManagement><dependencies>
    <dependency>...
      <artifactId>commons-lang</artifactId>
      <version>2.4</version>
    </dependency>
  </dependencies></dependencyManagement>
  <dependencies>
    <dependency>...
      <artifactId>commons-io</artifactId>
      <version>2.4</version>
    </dependency>
  </dependencies>
</project>
<project>
  <parent>...
    <artifactId>myparent</artifactId>...
  </parent>
  <artifactId>myproject</artifactId>...
  <dependencies>
    <dependency>...
      <artifactId>commons-lang</artifactId>
      <version>2.3</version>
    </dependency>
    <dependency>...
      <artifactId>commons-io</artifactId>
      <version>2.3</version>
    </dependency>
  </dependencies>
</project>

Dependency inheritance

Which jars on the classpath?

commons-lang-2.3.jar (my dep)
+ commons-io-2.3.jar (my dep)
commons-lang-2.3.jar (my dep)
+ commons-io-2.4.jar (parent dep)
commons-lang-2.4.jar (parent man)
+ commons-io-2.3.jar (my dep)
commons-lang-2.4.jar (parent man)
+ commons-io-2.4.jar (parent dep)
Maven error
I don't know

Answer dependency inheritance

Which jars on the classpath?

commons-lang-2.3.jar (my dep)
+ commons-io-2.3.jar (my dep)
commons-lang-2.3.jar (my dep)
+ commons-io-2.4.jar (parent dep)
commons-lang-2.4.jar (parent man)
+ commons-io-2.3.jar (my dep)
commons-lang-2.4.jar (parent man)
+ commons-io-2.4.jar (parent dep)
Maven error
I don't know

Solution dependency inheritance

<project>
  <artifactId>myparent</artifactId>...
  <dependencyManagement><dependencies>
    <dependency>...
      <artifactId>commons-lang</artifactId>
      <version>2.4</version>
    </dependency>
    <dependency>...
      <artifactId>commons-io</artifactId>
      <version>2.4</version>
    </dependency>
  </dependencies></dependencyManagement>
</project>
<project>
  <parent>...
    <artifactId>myparent</artifactId>...
  </parent>
  <artifactId>myproject</artifactId>...
  <dependencies>
    <dependency>...
      <artifactId>commons-lang</artifactId>
      <!-- No version specified -->
    </dependency>
    <dependency>...
      <artifactId>commons-io</artifactId>
      <!-- No version specified -->
    </dependency>
  </dependencies>
</project>

Conflicting nephew

<project>
  <artifactId>a</artifactId>...
  <dependencies>
    <dependency>...
      <artifactId>slf4j-api</artifactId>
      <version>1.7.0</version>
    </dependency>
  </dependencies>
</project>
<project>
  <artifactId>myproject</artifactId>...
  <dependencies>
    <dependency>...
      <artifactId>a</artifactId>...
    </dependency>
    <dependency>...
      <artifactId>slf4j-api</artifactId>
      <version>1.5.0</version>
    </dependency>
  </dependencies>
</project>

Conflicting nephew

Which jars on the classpath?

slf4j-api-1.5.0.jar
slf4j-api-1.7.0.jar
slf4j-api-1.5.0.jar
+ slf4j-api-1.7.0.jar
neither
Maven error
I don't know

Answer conflicting nephew

Which jars on the classpath?

slf4j-api-1.5.0.jar
slf4j-api-1.7.0.jar
slf4j-api-1.5.0.jar
+ slf4j-api-1.7.0.jar
neither
Maven error
I don't know

Workaround: Fail fast with enforcer

Enforce that every (transitive) dependency is resolved to its specified version or higher.

<plugin>
  <artifactId>maven-enforcer-plugin</artifactId>
  <executions>
    <execution>
      <goals><goal>enforce</goal></goals>
      <configuration>
        <rules>
          <requireUpperBoundDeps/>
        </rules>
      </configuration>
    </execution>
  </executions>
</plugin>

Failed while enforcing RequireUpperBoundDeps. The error(s) are [
Require upper bound dependencies error for org.slf4j:slf4j-api:1.5.0 paths to dependency are:
+-...:myproject:1.0.0
  +-org.slf4j:slf4j-api:1.5.0
and
+-...:myproject:1.0.0
  +-...:a:1.0.0
    +-org.slf4j:slf4j-api:1.7.0
]

Conflicting cousins

<project>...<artifactId>a</>...
  <dependencies>
    <dependency>...
      <artifactId>drools-core</artifactId>
      <version>5.2.0.CR1</version>
    </dependency>
  </dependencies>
</project>
<project>...<artifactId>b</>...
  <dependencies>
    <dependency>...
      <artifactId>drools-core</artifactId>
      <version>5.2.0.M2</version>
    </dependency>
  </dependencies>
</project>
<project>...<artifactId>c</>...
  <dependencies>
    <dependency>...
      <artifactId>drools-core</artifactId>
      <version>5.2.0.Final</version>
    </dependency>
  </dependencies>
</project>
<project>...<artifactId>myproject</>...
  <dependencies>
    <dependency>...<artifactId>a</>...</>
    <dependency>...<artifactId>b</>...</>
    <dependency>...<artifactId>c</>...</>
  </dependencies>
</project>

Conflicting cousins

Which jars on the classpath?

drools-core-5.2.0.CR1.jar
drools-core-5.2.0.M2.jar
drools-core-5.2.0.Final.jar
drools-core-5.2.0.CR1.jar
+ drools-core-5.2.0.M2.jar
+ drools-core-5.2.0.Final.jar
Maven error
I don't know

Answer conflicting cousins

Which jars on the classpath?

drools-core-5.2.0.CR1.jar
drools-core-5.2.0.M2.jar
drools-core-5.2.0.Final.jar
drools-core-5.2.0.CR1.jar
+ drools-core-5.2.0.M2.jar
+ drools-core-5.2.0.Final.jar
Maven error
I don't know

Later drools releases (5.3, 5.4, 5.5, ...)
no longer use M in version numbering.

Lexicographic version numbering

Lexicographic
- Tokenize on dots (.), then dashes (-)
- Letters < numbers: a < 1
- Group digits: 3 < 10
- 1.0.0.Beta3 < 1.0.0.Beta10 < 1.0.0.CR2
- 1.0.0.CR2 < 1.0.0.Final < 1.0.1.Beta1
For example: JBoss version guidelines
- major.minor.micro.[Alpha[n],Beta[n],CR[n],Final]
- https://community.jboss.org/wiki/JBossProjectVersioning
Requirement for module systems
- OSGi, Jigsaw?, ...

Conflict resolution in Maven ...

"Many projects did not follow lexicographically versioning."
When Maven detects a conflict,
it picks the nearest
(= highest level, first index)

Conflict resolution in practice ...

Good jars are backwards compatible

Common sense solution:
Retain the highest version (using lexicographic comparison)

Maven 3.1 or Tesla could fix this with pluggable conflict resolution?

Child with dependencyManagement

<project>...<artifactId>a</>...
  <dependencies>
    <dependency>...
      <artifactId>jbpm-flow</artifactId>
      <version>5.1.0.Final</version>
    </dependency>
  </dependencies>
</project>
<project>...<artifactId>yourparent</>...
  <dependencyManagement><dependencies>
    <dependency>...
      <artifactId>jbpm-flow</artifactId>
      <version>5.3.0.Final</version>
    </dependency>
  </dependencies></dependencyManagement>
</project>
<project>...<artifactId>yourproject</>...
  <parent>...<artifactId>yourparent</>...</parent>
  <dependencies>
    <dependency>...
      <artifactId>a</artifactId>
    </dependency>
  </dependencies>
</project>
<project>...<artifactId>myproject</>...
  <dependencies>
    <dependency>...
      <artifactId>yourproject</artifactId>...
    </dependency>
  </dependencies>
</project>

Child with dependencyManagement

Which jars on the classpath?

jbpm-flow-5.1.0.Final.jar
jbpm-flow-5.3.0.Final.jar
Maven error
I don't know

Child with dependencyManagement

Which jars on the classpath?

jbpm-flow-5.1.0.Final.jar
jbpm-flow-5.3.0.Final.jar
Maven error
I don't know

Fat jars

<project>
  <artifactId>myproject</artifactId>
  ...
  <dependencies>
    <dependency>
      <-- Depends on:
          slf4j-api 1.6.1
          ... -->
      <groupId>org.jboss.weld.se</groupId>
      <artifactId>weld-se-core</artifactId>
      <version>1.1.8.Final</version>
    </dependency>
    <dependency>
      <-- Duplicates:
          weld-se-core 1.1.4.Final
          slf4j-api 1.5.10
          ... -->
      <groupId>org.jboss.weld.se</groupId>
      <artifactId>weld-se</artifactId>
      <version>1.1.4.Final</version>
    </dependency>
  </dependencies>
</project>

Fat jars

Which jars on the classpath?

weld-se-core-1.1.8.Final.jar
+ slf4j-api-1.6.1.jar
weld-se-1.1.4.Final.jar
weld-se-core-1.1.8.Final.jar
+ slf4j-api-1.6.1.jar
+ weld-se-1.1.4.Final.jar
Maven error
I don't know

Answer fat jars

Which jars on the classpath?

weld-se-core-1.1.8.Final.jar
+ slf4j-api-1.6.1.jar
weld-se-1.1.4.Final.jar
weld-se-core-1.1.8.Final.jar
+ slf4j-api-1.6.1.jar
+ weld-se-1.1.4.Final.jar
Maven error
I don't know

Solution fat jars

Don't depend on fat jars.

<project>
  <artifactId>myproject</artifactId>
  ...
  <dependencies>
    <dependency>
      <groupId>org.jboss.weld.se</groupId>
      <-- <artifactId>weld-se</artifactId> is evil -->
      <artifactId>weld-se-core</artifactId>
      <version>1.1.8.Final</version>
    </dependency>
  </dependencies>
</project>

And the winner is ...

Raise your hand if you have most points
- You might be a winner
What your seat number?
Look behind your right shoulder
Winner = highest points + seat 12
(+ less than 3 winners in front of you)
- None in seat 12 => Try seat 13, 14, ...

Maven dependency puzzlers

Which jars end up in the production classpath of myproject?

Count your points

Which jars on the classpath?

Environment

Question 1

Different groupId

Different groupId

Answer different groupId

Workaround different groupId's

Solution different groupId

meanwhile in Maven Central ...

groupId's of Sun's JAXB implementation

Question 2

Dependency inheritance

Dependency inheritance

Answer dependency inheritance

Solution dependency inheritance

Question 3

Conflicting nephew

Conflicting nephew

Answer conflicting nephew

Workaround: Fail fast with enforcer

Question 4

Conflicting cousins

Conflicting cousins

Answer conflicting cousins

Lexicographic version numbering

Workaround conflicting cousins

Conflict resolution in Maven ...

Conflict resolution in practice ...

Question 5

Child with dependencyManagement

Child with dependencyManagement

Child with dependencyManagement

myproject versus yourproject

Question 6

Fat jars

Fat jars

Answer fat jars

Solution fat jars

Shaded fat jars

And the winner is ...

Q & A

Maven
dependency
puzzlers

Which jars end up
in the production classpath
of myproject?