Reputation: 427
how does maven determine the version of transitive dependencies?
I am building a java project using maven, and i noticed that in one of the sub-project, jsonwebtoken 0.7.0 is included.
https://github.com/WebGoat/WebGoat/blob/develop/webgoat-lessons/challenge/pom.xml
Then from maven repo (https://repo1.maven.org/maven2/io/jsonwebtoken/jjwt/0.7.0/jjwt-0.7.0.pom), jsonwebtoken 0.7.0 has a dependency of jackson-databind v2.8.2;
However, when I trace from maven debug log, jackson-databind v2.10 was actually pulled by maven.
I understand that if a component version is not explicitly defined in POM, maven would default to latest, however, in above case, why would maven still chose to override the version to latest?
thanks!
Upvotes: 3
Views: 1276
Answers (2)
Reputation: 15316
If a dependency is added in multiple places, Maven takes the one that:
- Is closer to your pom.xml in the hierarchy (transitive dependency vs. transitive dependency of a transitive dependency)
- If the depth is the same - it takes the first occurrence.
In order to guarantee which version is taken you need to declare it in your <dependencyManagement> section. This overrides whatever is declared in transitive dependencies.
if a component version is not explicitly defined in POM, maven would default to latest
No, you can't define a dependency without an explicit version. Maven supports ranges though, but they are considered bad practice as this would lead to non-repeatable builds.
Upvotes: 5
Reputation: 4258
I guess that you have somewhere a dependency that requires jackson-databind 2.10. The higher version forces maven to override the jackson-databind 2.8.2 required by jsonwebtoken.
But, if you include the jackson-databind explicitly in your project in another version, than that version overrides the version from the transitive dependency.
If you use eclipse, you can check the "Dependency Hierarchy.". Here as an example, if you include jackson-databind explicitly:
.. and here if you have two dependencies, that both include a transitive dependency with different versions (in this case spring-aop: spring-boot-starter-security wants 5.0.4.RELEASE, but gets "updated" due to spring-boot-starter-weg to 5.1.5.RELEASE):
Upvotes: 1
Related Questions
- How to specify transitive dependency's version in maven?
- How does the Maven project select appropriate version dependencies
- Why version number in maven dependency is skipped at times?
- maven dependency managment and version change of transitive dependency
- Changing the version of a transitive dependency in maven pom.xml
- Override version of transitive dependencies in Maven
- How does Maven Choose the Version of a Transitive Dependency when Two or More Versions of that Dependency Exist in the Dependency Tree?
- How Maven looks for dependencies
- Why sometimes dependency not contain version property in pom.xml?
- Dependency version in maven pom.xml