maven dependency management problems

maven is is wonderful build environment. It really is bliss when it works. Fortunately it does not break often, but unfortunately, your build can become broken from outside influence.

It recently happened to me twice for the same reason. I include the jboss maven repositories in my builds because that is a convenient place to download the jboss libraries from (beats having to replicate them in a private repository). The JBoss folks do however have a knack of “fixing” problems in open source libraries. They create “brew” builds for this purpose, resulting in version numbers like “1.7-brew”. Maven nicely detects that these versions exists and considers them more recent than the version without “-brew”. So far so good. However, it does not correctly handle (at least in maven 2.0.8 which is what I am using) where to load the library from. At first it seems to scan all repositories to know where versions of the artifact are available. Then it determines the highest allowed version number, the it tries to load that version from the first repository where the artifact was found. OOps.

Fortunately there are a couple of solutions to this problem.

  • For starters, this just goes to show why depending on external repositories may be a bad idea. For truly reproducible builds, it is probably recommended that you maintain your own (shared) repository and not use central, jboss or other external repositories. This unfortunately also incurs a maintenance overhead (and more problems when requiring new libraries in your projects).
  • Obviously this problem occurs because the required version of the artifact is not locked down. If you want reproducible builds, you have to lock down the version numbers of your dependencies, and not use version ranges. Unfortunately, yo cannot control the dependencies of your dependencies. However, you can still lock them down. In your pom, include a section like
    <dependencyManagement>
        <dependencies>
            <dependency>
                <!-- lock down version because of broken maven dependency resolution -->
                <groupId>commons-digester</groupId>
                <artifactId>commons-digester</artifactId>
                <version>1.7</version>
            </dependency>
        </dependencies>
    </dependencyManagement>
    

    For the problematic artifact, and your problem should be solved.

Leave a Reply

Your email address will not be published. Required fields are marked *

question razz sad evil exclaim smile redface biggrin surprised eek confused cool lol mad twisted rolleyes wink idea arrow neutral cry mrgreen

*