BOM inherits from parent, which also defines <dependencyManagement>
ljnelson opened this issue · 5 comments
The OCI BOM (Bill of Materials) POM (v2.40.0) inherits from the parent POM:
Lines 5 to 10 in 7b89c4a
The parent POM also defines a <dependencyManagement> element:
https://github.com/oracle/oci-java-sdk/blob/v2.40.0/pom.xml#L498
The result is that projects that import the BOM also, unknowingly, effectively import all these other <dependencyManagement> entries that should not be managed by the OCI BOM. (BOMs normally do not manage anything that the project does not declare. Judging from the contents of the OCI BOM that seems to have been the intention, but the fact that its parent declares a <dependencyManagement> element sneakily and probably accidentally voids this intent.)
As an arbitrary example, if I import the OCI BOM into my pom.xml, then anytime I reference, say, jersey-client anywhere in my project, regardless of what version I designate, I will use whatever version of jersey-client OCI has happened to declare. (See https://github.com/oracle/oci-java-sdk/blob/v2.40.0/pom.xml#L550-L554).
I think the solution to this problem is to either not have a parent POM for the OCI BOM at all, or at least to have one that does not define its own <dependencyManagement> element.
Just came here to report this issue as it just cost me a bunch of time and a lot of frowning to figure out why my junit version suddenly wouldn't converge anymore.
This issue essentially prevents this BOM from being imported into any project that has a non trivial dependency tree. Also the only workaround seems to be to copy paste the BOM contents (without the stuff from the parent) into the <dependencyManagement> section of your project or create your own replacement BOM as exclusions won't work in this case.
This got my team as well and is still an issue on the latest 3.5.0 release. This makes the bom pretty much unusable IMO. Any chance we can get this fixed for next release?
@ljnelson @towtow @vikinghawk We've updated the BOM pom.xml by removing the parent pom in v3.7.0. Can you confirm if this resolves your issue?
@kishan0201 yes it does, thanks for the fix!
Much better. Thanks!