堆栈内存溢出
  简体   繁体   English

Maven 传递依赖 - Commons Collection version 3 vs 4

[英]Maven transitive dependency - Commons Collection version 3 vs 4

 原文  2020-05-16 09:44:27       java/ maven/ apache-commons-collection

问题描述

I have such configuration in pom.xml :我在pom.xml中有这样的配置:

    <dependency>
        <groupId>commons-beanutils</groupId>
        <artifactId>commons-beanutils</artifactId>
        <version>1.9.4</version>
    </dependency>
    <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-collections4</artifactId>
        <version>4.4</version>
    </dependency>

But unfortunately mvn dependency:tree shows me that commons-beanutils has dependency: commons-collections 3.x:但不幸的是mvn dependency:tree告诉我commons-beanutils有依赖性:commons-collections 3.x:

[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] |  \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] +- org.apache.commons:commons-collections4:jar:4.4:compile

I don't want Common Collection 3 in my code but it's possible that someone uses a class from this library by mistake (instead of Common Collective 4 , which is preferred version).我不想在我的代码中使用Common Collection 3但可能有人错误地使用了这个库中的 class (而不是Common Collective 4 ,这是首选版本)。

As you see in dependency tree - I can't exclude the Common Collection 3, because it is used (can occur java.lang.NoClassDefFoundError ).正如您在依赖树中看到的那样——我不能排除 Common Collection 3,因为它已被使用(可能发生java.lang.NoClassDefFoundError )。

Question:题:

How to protect my code base against pollution of Commons Collection 3 API?如何保护我的代码库免受 Commons Collection 3 API 的污染?

1 个解决方案

解决方案1
 0 已采纳  2020-05-16 11:13:41

You can use the dependency:analyze-only您可以使用dependency:analyze-only

https://maven.apache.org/plugins/maven-dependency-plugin/analyze-only-mojo.html https://maven.apache.org/plugins/maven-dependency-plugin/analyze-only-mojo.html

to check whether you use undeclared dependencies, ie you use a transitive dependency without explicitly declaring it.检查您是否使用未声明的依赖项,即您使用传递依赖项而没有明确声明它。

If you don't want this in your build, but just check it occasionally, you can use dependency:analyze from the command line.如果您不想在您的构建中使用它,但只是偶尔检查一下,您可以从命令行使用dependency:analyze

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 覆盖 maven 中的传递版本依赖性 - Overriding transitive version dependency in maven maven 依赖管理和传递依赖的版本变更 - maven dependency managment and version change of transitive dependency 哪个依赖项是传递依赖项(Maven)的覆盖版本 - which dependency is overriding version of a transitive dependency (Maven) Maven依赖管理:传递与直接依赖 - Maven Dependency Management : Transitive Vs Direct Dependency Maven拉了一个旧版本的传递依赖 - Maven pull an old version of a transitive dependency Maven 2 - 从传递依赖版本定义依赖版本 - Maven 2 - define dependency version from transitive dependency version Maven 依赖更改 commons-io 版本 - Maven Dependency changes commons-io version Maven查找在远程存储库中特定版本中具有传递依赖项的依赖项 - Maven find dependency having a transitive dependency in a specific version in a remote repository Maven 解析的版本与传递依赖中的版本不匹配 - Maven resolved version doesn't match version in transitive dependency 如何从项目的maven依赖树中删除旧的易受攻击的Apache commons集合版本依赖项? - How can I remove the old vulnerable Apache commons collection version dependency from my project's maven dependency tree?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM