-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Aggregate ignores versions #125
Comments
The versions are indeed ignored in the aggregated graphs. My intention for that was to mimic an overall dependency graph on a multi-module maven project. Choosing only the first occurrence of a dependency during graph traversal reflects the nearest-first approach of Maven's dependency resolution. |
Hello, I came here after running depgraph in an aggregate project. I can give more details later but basically my project has several WARs each of which has their own dependencies. While I understand what you intended to do, would you be able to provide an option to get the raw dependency tree of each component as it is, rather than as maven would like it to be? The use case is that I wish to see the exact dependencies that will be included by each subcomponent: This came up with this entire log4shell debacle, where I wanted to check the version of all log4j libraries by using depgraph ... unfortunately depgraph only showed the version it picked from one of the WARs (I ended up checking the WARs by hand, and I also tested depgraph by deliberately including WARs with different versions of log4j as dependencies of the package POM) |
Hi @glianeric, |
I have a very simple project that has a parent module with two children.
Module A depends on
aws-java-sdk-core
version1.11.844
:Module B depends on
aws-java-sdk-core
version1.11.655
:(I got both graphs by running
mvn com.github.ferstl:depgraph-maven-plugin:3.3.0:graph -DgraphFormat=dot -DoutputFileName=graph.dot -DshowVersions=true
and then looking at thetarget/
directory of each module for thegraph.dot
file).However, when I use the aggregate goal, I get:
(by running
mvn com.github.ferstl:depgraph-maven-plugin:3.3.0:aggregate -DgraphFormat=dot -DoutputFileName=graph.dot -DshowVersions=true
)It is merging the versions from both modules in the graph. Is this expected? Docs say: "The goals depgraph:aggregate and depgraph:aggregate-by-groupid create aggregated dependency graphs on the root of a multi-module project. They show the union of all the modules' dependencies by omitting redundant edges." It is only the union if versions are deliberately ignored.
If I swap the versions between modules A and B, the aggregate output changes.
Repro is here: https://github.com/gabrielrussoc/maven-enforcer-cross-dep
The text was updated successfully, but these errors were encountered: