stackoom
  简体   繁体   中英

How to exclude a transitive dependency in Maven project

 原文  2022-11-30 13:47:05       java/ spring-boot/ maven/ dependencies

Question

I have a java spring boot application A that has dependency B which is a third party jar. B in turn has dependency C. When people need upgrade C (say from v1.0 to v2.0), a common approach is that in pom.xml of A, using Maven exclusion feature to exclude C from B, then either declare C-v2.0 as a direct dependency, or add C-v2.0 to dependencyManagement section.

This approach doesn't guarantee work in all situations. An example is org.glassfish.metro:webservices-rt:2.4.3 has dependency woodstox-core:5.1.0 which contains high security vulnerabilities and need to upgrade to 6.4.0.

My project A has (direct)dependency webservices-rt:2.4.3. Applying above approach doesn't exclude woodstox-core:5.1.0 from my project. Note: the maven dependency tree doesn't show woodstox-core:5.1.0 any more, but Aqua Scan still indicates that webservices-rt has dependency woodstox-core:5.1.0.

Below is part of my pom

        <dependency>
            <groupId>com.fasterxml.woodstox</groupId>
            <artifactId>woodstox-core</artifactId>
            <version>6.4.0</version>
         </dependency>
         <dependency>
            <groupId>org.glassfish.metro</groupId>
            <artifactId>webservices-rt</artifactId>
            <version>2.4.3</version>
            <exclusions>
                <exclusion>
                    <groupId>com.fasterxml.woodstox</groupId>
                    <artifactId>woodstox-core</artifactId>
                </exclusion>
            </exclusions>
         </dependency>

It seems to me that whether above approach working or not depends on how jar B is packaged. Dose anyone has knowledge to share?

1 answers

solution1
 0  2022-11-30 14:32:47

  1. The much better approach is to set the desired version in <dependencyManagement> , ie
<dependencyManagement>
  <dependencies>
    <dependency>
       <groupId>com.fasterxml.woodstox</groupId>
       <artifactId>woodstox-core</artifactId>
       <version>6.4.0</version>
    </dependency>
  </dependencies)
</dependencyManagement>

Then you need no exclusions at all.

  1. If the dependency tree does not show it, it will not be used, unless the dependency is a fat jar. So, avoid fat jars as dependencies (if at all possible), and furthermore check if your Aqua Scan maybe does it wrong.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question exclude transitive shaded dependency in maven How to replace a transitive dependency library in a maven project How to exclude transitive dependency How do I exclude a Maven transitive dependency that comes from a Maven plugin? IntelliJ not loading transitive dependency in maven project How to exclude JUnit as transitive dependency in Gradle How to exclude transitive jar dependency in Gradle? How to exclude a transitive optional Maven system in Gradle? maven-shade-plugin: exclude a dependency and all its transitive dependencies How does maven look for transitive dependency
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM