Maven:如何覆盖库添加的依赖项

时间:2022-07-31 00:01:23

Here's my generic problem:

这是我的通用问题:

My project P depends on A which depends on B which depends on C which depends on version 1.0.1 of D.

我的项目P依赖于A, A依赖于B, C依赖于D版本1.0.1。

There's a problem with version 1.0.1 of D and I want to force the use of another module. I don't know how to declare this in my project's POMs since I haven't added a dependency on D directly. It's C which declared the dependency on D.

D的1.0.1版本有问题,我想强制使用另一个模块。我不知道如何在项目的pom中声明这一点,因为我没有直接添加对D的依赖。C表示对D的依赖。

Important: In this case, not only the version is changed, but the group & artifact as well. So it's not just a matter of overriding the version of the dependency, but rather, of excluding a module and including another one.

注意:在这种情况下,不仅更改了版本,还更改了组和工件。因此,这不仅仅是重写依赖项的版本的问题,而是排除一个模块并包含另一个模块的问题。

In the concrete case, D is StAX whose 1.0.1 has a bug. According to the notes in the bug, "the problems were solved by replacing the stax-api-1.0.1 (maven GroupId = stax) by stax-api-1.0-2 (maven GroupId = javax.xml.stream)" so I'm trying just that.

在具体的例子中,D是StAX,它的1.0.1有一个bug。根据bug中的注释,“问题通过将stax-api-1.0.1 (maven GroupId = stax)替换为stax-api-1.0-2 (maven GroupId = javax.xml.stream)来解决”,所以我正在尝试。

Thus, D = stax:stax-api:jar:1.0.1 and C = org.apache.xmlbeans:xmlbeans:jar:2.3.0

因此,D = stax:stax-api:jar:1.0.1, C = org.apache.xmlbeans:xmlbeans:jar:2.3.0

I'm using maven 2.0.9 in case it matters.

我用的是maven 2.0.9,以防万一。

Output of mvn dependency:tree"

输出的mvn依赖性:树”

mvn dependency:tree
[..snip..]
[INFO] +- org.apache.poi:poi-ooxml:jar:3.6:compile
[INFO] |  +- org.apache.poi:poi-ooxml-schemas:jar:3.6:compile
[INFO] |  |  +- org.apache.xmlbeans:xmlbeans:jar:2.3.0:compile
[INFO] |  |  |  \- stax:stax-api:jar:1.0.1:compile

In my project's POM I have the following dependency on "A":

在我的项目POM中,我有以下对“A”的依赖:

<dependency>
    <groupId>org.apache.poi</groupId>
    <artifactId>poi</artifactId>
    <version>3.6</version>
</dependency>
<dependency>
    <groupId>org.apache.poi</groupId>
    <artifactId>poi-ooxml</artifactId>
    <version>3.6</version>
</dependency>

Thanks in advance.

提前谢谢。

4 个解决方案

#1


73  

Simply specify the version in your current pom. The version specified here will override other.

只需在当前pom中指定版本。这里指定的版本将覆盖其他版本。

Forcing a version
A version will always be honoured if it is declared in the current POM with a particular version - however, it should be noted that this will also affect other poms downstream if it is itself depended on using transitive dependencies.

如果在当前的POM中声明了一个特定的版本,那么强制将版本强制成为版本将永远是值得尊重的——但是,应该注意的是,如果它本身依赖于传递性依赖,那么这也会影响到下游的其他POM。


Resources :

资源:

#2


16  

Alternatively, you can just exclude the dependency that you don't want. STAX is included in JDK 1.6, so if you're using 1.6 you can just exclude it entirely.

或者,您可以排除您不想要的依赖项。STAX包含在JDK 1.6中,所以如果您使用1.6,您可以完全排除它。

My example below is slightly wrong for you - you only need one of the two exclusions but I'm not quite sure which one. There are other versions of Stax floating about, in my example below I was importing A which imported B which imported C & D which each (through yet more transitive dependencies) imported different versions of Stax. So in my dependency on 'A', I excluded both versions of Stax.

我下面的例子对你来说有点错误——你只需要其中的一个,但我不太确定是哪一个。还有其他版本的Stax,在我的示例中,我正在导入一个导入的B,导入C & D,每个(通过更多的传递依赖)导入不同版本的Stax。所以在我对A的依赖中,我排除了两个版本的Stax。

<dependency>
  <groupId>a.group</groupId>
  <artifactId>a.artifact</artifactId>
  <version>a.version</version>
  <exclusions>
    <!--  STAX comes with Java 1.6 -->
    <exclusion>
      <artifactId>stax-api</artifactId>
      <groupId>javax.xml.stream</groupId>
    </exclusion>
    <exclusion>
      <artifactId>stax-api</artifactId>
      <groupId>stax</groupId>
    </exclusion>
  </exclusions>
<dependency>

#3


4  

I also had trouble overruling a dependency in a third party library. I used scot's approach with the exclusion but I also added the dependency with the newer version in the pom. (I used Maven 3.3.3)

我也在第三方库中克服了对依赖的过度依赖。我使用了scot的排除方法,但我也添加了对pom中较新版本的依赖。(我使用Maven 3.3.3)

So for the stAX example it would look like this:

对于stAX的例子,它是这样的

<dependency>
  <groupId>a.group</groupId>
  <artifactId>a.artifact</artifactId>
  <version>a.version</version>
  <exclusions>
    <!--  STAX comes with Java 1.6 -->
    <exclusion>
      <artifactId>stax-api</artifactId>
      <groupId>javax.xml.stream</groupId>
    </exclusion>
    <exclusion>
      <artifactId>stax-api</artifactId>
      <groupId>stax</groupId>
    </exclusion>
  </exclusions>
<dependency>

<dependency>
    <groupId>javax.xml.stream</groupId>
    <artifactId>stax-api</artifactId>
    <version>1.0-2</version>
</dependency>

#4


1  

What you put inside the </dependencies> tag of the root pom will be included by all child modules of the root pom. If all your modules use that dependency, this is the way to go.

在根pom的标记中放入的内容将被根pom的所有子模块包含。如果所有的模块都使用这种依赖关系,这就是解决方法。

However, if only 3 out of 10 of your child modules use some dependency, you do not want this dependency to be included in all your child modules. In that case, you can just put the dependency inside the </dependencyManagement>. This will make sure that any child module that needs the dependency must declare it in their own pom file, but they will use the same version of that dependency as specified in your </dependencyManagement> tag.

但是,如果10个子模块中只有3个使用了依赖项,则不希望将该依赖项包含在所有子模块中。在这种情况下,您可以将依赖项放在中。这将确保任何需要依赖项的子模块必须在自己的pom文件中声明它,但是它们将使用与标记中指定的依赖项相同的版本。

You can also use the </dependencyManagement> to modify the version used in transitive dependencies, because the version declared in the upper most pom file is the one that will be used. This can be useful if your project A includes an external project B v1.0 that includes another external project C v1.0. Sometimes it happens that a security breach is found in project C v1.0 which is corrected in v1.1, but the developers of B are slow to update their project to use v1.1 of C. In that case, you can simply declare a dependency on C v1.1 in your project's root pom inside `, and everything will be good (assuming that B v1.0 will still be able to compile with C v1.1).

您还可以使用修改传递依赖项中使用的版本,因为在最上面的pom文件中声明的版本就是要使用的版本。如果您的项目A包含一个外部项目B v1.0,其中包含另一个外部项目C v1.0,那么这将非常有用。有时碰巧发现安全漏洞在v1.1项目C v1.0纠正,但B是缓慢更新项目的开发人员使用v1.1 C。在这种情况下,您可以简单地声明一个依赖C v1.1在项目根目录下的pom里面的,一切都会好(假设B v1.0仍然能够编译C v1.1)。

#1


73  

Simply specify the version in your current pom. The version specified here will override other.

只需在当前pom中指定版本。这里指定的版本将覆盖其他版本。

Forcing a version
A version will always be honoured if it is declared in the current POM with a particular version - however, it should be noted that this will also affect other poms downstream if it is itself depended on using transitive dependencies.

如果在当前的POM中声明了一个特定的版本,那么强制将版本强制成为版本将永远是值得尊重的——但是,应该注意的是,如果它本身依赖于传递性依赖,那么这也会影响到下游的其他POM。


Resources :

资源:

#2


16  

Alternatively, you can just exclude the dependency that you don't want. STAX is included in JDK 1.6, so if you're using 1.6 you can just exclude it entirely.

或者,您可以排除您不想要的依赖项。STAX包含在JDK 1.6中,所以如果您使用1.6,您可以完全排除它。

My example below is slightly wrong for you - you only need one of the two exclusions but I'm not quite sure which one. There are other versions of Stax floating about, in my example below I was importing A which imported B which imported C & D which each (through yet more transitive dependencies) imported different versions of Stax. So in my dependency on 'A', I excluded both versions of Stax.

我下面的例子对你来说有点错误——你只需要其中的一个,但我不太确定是哪一个。还有其他版本的Stax,在我的示例中,我正在导入一个导入的B,导入C & D,每个(通过更多的传递依赖)导入不同版本的Stax。所以在我对A的依赖中,我排除了两个版本的Stax。

<dependency>
  <groupId>a.group</groupId>
  <artifactId>a.artifact</artifactId>
  <version>a.version</version>
  <exclusions>
    <!--  STAX comes with Java 1.6 -->
    <exclusion>
      <artifactId>stax-api</artifactId>
      <groupId>javax.xml.stream</groupId>
    </exclusion>
    <exclusion>
      <artifactId>stax-api</artifactId>
      <groupId>stax</groupId>
    </exclusion>
  </exclusions>
<dependency>

#3


4  

I also had trouble overruling a dependency in a third party library. I used scot's approach with the exclusion but I also added the dependency with the newer version in the pom. (I used Maven 3.3.3)

我也在第三方库中克服了对依赖的过度依赖。我使用了scot的排除方法,但我也添加了对pom中较新版本的依赖。(我使用Maven 3.3.3)

So for the stAX example it would look like this:

对于stAX的例子,它是这样的

<dependency>
  <groupId>a.group</groupId>
  <artifactId>a.artifact</artifactId>
  <version>a.version</version>
  <exclusions>
    <!--  STAX comes with Java 1.6 -->
    <exclusion>
      <artifactId>stax-api</artifactId>
      <groupId>javax.xml.stream</groupId>
    </exclusion>
    <exclusion>
      <artifactId>stax-api</artifactId>
      <groupId>stax</groupId>
    </exclusion>
  </exclusions>
<dependency>

<dependency>
    <groupId>javax.xml.stream</groupId>
    <artifactId>stax-api</artifactId>
    <version>1.0-2</version>
</dependency>

#4


1  

What you put inside the </dependencies> tag of the root pom will be included by all child modules of the root pom. If all your modules use that dependency, this is the way to go.

在根pom的标记中放入的内容将被根pom的所有子模块包含。如果所有的模块都使用这种依赖关系,这就是解决方法。

However, if only 3 out of 10 of your child modules use some dependency, you do not want this dependency to be included in all your child modules. In that case, you can just put the dependency inside the </dependencyManagement>. This will make sure that any child module that needs the dependency must declare it in their own pom file, but they will use the same version of that dependency as specified in your </dependencyManagement> tag.

但是,如果10个子模块中只有3个使用了依赖项,则不希望将该依赖项包含在所有子模块中。在这种情况下,您可以将依赖项放在中。这将确保任何需要依赖项的子模块必须在自己的pom文件中声明它,但是它们将使用与标记中指定的依赖项相同的版本。

You can also use the </dependencyManagement> to modify the version used in transitive dependencies, because the version declared in the upper most pom file is the one that will be used. This can be useful if your project A includes an external project B v1.0 that includes another external project C v1.0. Sometimes it happens that a security breach is found in project C v1.0 which is corrected in v1.1, but the developers of B are slow to update their project to use v1.1 of C. In that case, you can simply declare a dependency on C v1.1 in your project's root pom inside `, and everything will be good (assuming that B v1.0 will still be able to compile with C v1.1).

您还可以使用修改传递依赖项中使用的版本,因为在最上面的pom文件中声明的版本就是要使用的版本。如果您的项目A包含一个外部项目B v1.0,其中包含另一个外部项目C v1.0,那么这将非常有用。有时碰巧发现安全漏洞在v1.1项目C v1.0纠正,但B是缓慢更新项目的开发人员使用v1.1 C。在这种情况下,您可以简单地声明一个依赖C v1.1在项目根目录下的pom里面的,一切都会好(假设B v1.0仍然能够编译C v1.1)。