3

I discovered interesting features provided by the maven dependency plugin. I've analyzed one of my projects and got the following output:

[WARNING] Used undeclared dependencies found:
[WARNING]    org.apache.geronimo.specs:geronimo-javamail_1.4_spec:jar:1.6:compil
e
[WARNING]    javax.xml.soap:saaj-api:jar:1.3:compile
[WARNING]    org.apache.geronimo.specs:geronimo-annotation_1.0_spec:jar:1.1.1:co
mpile
[WARNING]    org.apache.geronimo.specs:geronimo-jaxws_2.1_spec:jar:1.0:compile
[WARNING]    org.hibernate.javax.persistence:hibernate-jpa-2.0-api:jar:1.0.1.Fin
al:compile
[WARNING]    org.apache.geronimo.specs:geronimo-ws-metadata_2.0_spec:jar:1.1.2:c
ompile
[WARNING] Unused declared dependencies found:
[WARNING]    junit:junit:jar:4.5:test
[WARNING]    log4j:apache-log4j-extras:jar:1.1:compile
[WARNING]    org.slf4j:slf4j-log4j12:jar:1.6.4:compile
[WARNING]    org.slf4j:slf4j-api:jar:1.6.4:compile
[WARNING]    org.hibernate:hibernate-c3p0:jar:3.6.8.Final:runtime

The "unused declared" section is clear for me. Concerning the "used undeclared" section, it shows me the dependencies that are used directly by my project but included in the classpath transitively by Maven.

Let's take the first one as example "org.apache.geronimo.specs:geronimo-javamail_1.4_spec:jar:1.6:compile", this dependency is included since it is a dependency of cxf-rt-core-2.2.6. But, the code present in the JAR is also used directly by the project. I'm wondering now that when this project has been written, the developer may had the intention to use another Java Mail JAR.

If I want to use CXF 2.2.6 in one of my projects, I automatically get the Java Mail spec provided by Geronimo as a transitive dependency. What if I want to use another Java Mail API? By looking in search.maven.org, I can see that many JAR provide the Java Mail API.

Thanks

manash
  • 6,985
  • 12
  • 65
  • 125

2 Answers2

1

If you want to exclude a particular transitive dependency you can use the exclusions for dependencies.

<dependency>
  <groupId>...</groupId>
  <artifactId>..</artifactId>
  <version>..</version>
  <exclusions>
    <exclusion>
      <groupId>sample.ProjectB</groupId>
      <artifactId>Project-B</artifactId>
    </exclusion>
    ..
  </exclusions> 
</dependency>

This is only possible for the first level of transitive dependencies.

Betlista
  • 10,327
  • 13
  • 69
  • 110
khmarbaise
  • 92,914
  • 28
  • 189
  • 235
  • I know this solution exists. As you said, it is possible only for the first level of transitive dependencies. So, if I use a project A that depends on B that depends on geronimo-javamail-spec, I am forced to use it and I can't include in my classpath another Java Mail API? – manash May 04 '12 at 09:01
  • Ah sorry. No just add B as direct dependency and exclude it. Cause shortest path to dependency wins. – khmarbaise May 04 '12 at 09:19
  • Thanks. But, in general, what is the decision to take in this situation? Using the Geronimo dependencies is enough? – manash May 04 '12 at 11:48
  • If these are the deps which have the mail in there yes otherwise you have to change others as well. The is no general suggestions i can give. you have to check the dependencies. – khmarbaise May 04 '12 at 14:06
  • Are you sure about the first level only limitation? On the documentation page you linked here it is written: "Exclusions work on the entire dependency graph below the point where they are declared. If you wanted to exclude Project-E instead of Project-D, you'd simply change the exclusion to point at Project-E, but you wouldn't move the exclusion down to Project-D..." – andresp Jul 30 '13 at 20:22
1

It's likely that the programmer neglected to check the version of the Java Mail API jar at all - this is precisely the reason for the 'Used undeclared dependencies' warning. You should fix by adding the dependency in the main POM as a direct dependency. Use the version that currently works (because it's included transitively) and don't worry about the original programmer's intention - they probably didn't think about it at all.

Then, if the transitive version changes in a breaking way, your project should be OK because it's listed directly.

artbristol
  • 32,010
  • 5
  • 70
  • 103