maven 如何确定传递依赖的版本?
[英]how does maven determine the version of transitive dependencies?
问题描述
I am building a java project using maven, and i noticed that in one of the sub-project, jsonwebtoken 0.7.0 is included.
我正在使用 maven 构建一个 java 项目,我注意到在其中一个子项目中,包含了 jsonwebtoken 0.7.0。
https://github.com/WebGoat/WebGoat/blob/develop/webgoat-lessons/challenge/pom.xml https://github.com/WebGoat/WebGoat/blob/develop/webgoat-lessons/challenge/pom.xml
Then from maven repo ( https://repo1.maven.org/maven2/io/jsonwebtoken/jjwt/0.7.0/jjwt-0.7.0.pom ), jsonwebtoken 0.7.0 has a dependency of jackson-databind v2.8.2;然后从 maven repo ( https://repo1.maven.org/maven2/io/jsonwebtoken/jjwt/0.7.0/jjwt-0.7.0.pom ),jsonwebtoken 0.7.0 依赖于 jackson-databind v2.8.2 ;
However, when I trace from maven debug log, jackson-databind v2.10 was actually pulled by maven.但是,当我从 maven 调试日志中跟踪时,jackson-databind v2.10 实际上是由 maven 拉取的。
I understand that if a component version is not explicitly defined in POM, maven would default to latest, however, in above case, why would maven still chose to override the version to latest?我知道如果在 POM 中没有明确定义组件版本,maven 将默认为最新,但是,在上述情况下,为什么 maven 仍然选择将版本覆盖为最新?
thanks!谢谢!
2 个解决方案
解决方案1
4 已采纳 2020-03-15 08:26:36
If a dependency is added in multiple places, Maven takes the one that:如果在多个地方添加了一个依赖项,Maven 会采用:
- Is closer to your pom.xml in the hierarchy (transitive dependency vs. transitive dependency of a transitive dependency)在层次结构中更接近您的 pom.xml(传递依赖与传递依赖的传递依赖)
- If the depth is the same - it takes the first occurrence.如果深度相同 - 它需要第一次出现。
In order to guarantee which version is taken you need to declare it in your <dependencyManagement> section.为了保证采用哪个版本,您需要在<dependencyManagement>部分声明它。 This overrides whatever is declared in transitive dependencies.这会覆盖传递依赖项中声明的任何内容。
if a component version is not explicitly defined in POM, maven would default to latest
No, you can't define a dependency without an explicit version.不,您不能在没有明确版本的情况下定义依赖项。 Maven supports ranges though, but they are considered bad practice as this would lead to non-repeatable builds. Maven 支持范围,但它们被认为是不好的做法,因为这会导致不可重复的构建。
解决方案2
1 2020-03-15 07:34:40
I guess that you have somewhere a dependency that requires jackson-databind 2.10.我猜你在某个地方有一个需要 jackson-databind 2.10 的依赖项。 The higher version forces maven to override the jackson-databind 2.8.2 required by jsonwebtoken.更高版本强制 maven 覆盖 jsonwebtoken 所需的 jackson-databind 2.8.2。
But, if you include the jackson-databind explicitly in your project in another version, than that version overrides the version from the transitive dependency.但是,如果您在另一个版本的项目中明确包含 jackson-databind,则该版本会覆盖传递依赖项中的版本。
If you use eclipse, you can check the "Dependency Hierarchy.".如果你使用eclipse,你可以查看“Dependency Hierarchy.”。 Here as an example, if you include jackson-databind explicitly:例如,如果您明确包含 jackson-databind:
.. and here if you have two dependencies, that both include a transitive dependency with different versions (in this case spring-aop: spring-boot-starter-security wants 5.0.4.RELEASE, but gets "updated" due to spring-boot-starter-weg to 5.1.5.RELEASE): .. 在这里,如果您有两个依赖项,它们都包含具有不同版本的传递依赖项(在这种情况下,spring-aop:spring-boot-starter-security 需要 5.0.4.RELEASE,但由于 spring- boot-starter-weg 到 5.1.5.RELEASE):
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.