Affected version
3.10
Bug description
Take the following pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>reproducer</artifactId>
<version>0.0.1-SNAPSHOT</version>
<dependencyManagement>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-client</artifactId>
<version>3.4.3</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-reload4j</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</project>
The output of mvn dependency:3.10.0:analyze-exclusions dependency:3.10.0:tree is:
[INFO] --- dependency:3.10.0:analyze-exclusions (default-cli) @ reproducer ---
[WARNING] reproducer defines following unnecessary excludes
[WARNING] org.apache.hadoop:hadoop-client:3.4.3
[WARNING] - org.slf4j:slf4j-reload4j @ line: 14
[INFO]
[INFO] --- dependency:3.10.0:tree (default-cli) @ reproducer ---
[INFO] com.example:reproducer:jar:0.0.1-SNAPSHOT
[INFO] \- org.apache.hadoop:hadoop-client:jar:3.4.3:compile
[INFO] +- org.apache.hadoop:hadoop-common:jar:3.4.3:compile
[INFO] | +- org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_25:jar:1.5.0:compile
[INFO] | +- org.apache.hadoop.thirdparty:hadoop-shaded-guava:jar:1.5.0:compile
[INFO] | +- com.google.guava:guava:jar:32.0.1-jre:compile
[INFO] | | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | | +- org.checkerframework:checker-qual:jar:3.33.0:compile
[INFO] | | \- com.google.j2objc:j2objc-annotations:jar:2.8:compile
[INFO] | +- commons-cli:commons-cli:jar:1.9.0:compile
[INFO] | +- org.apache.commons:commons-math3:jar:3.6.1:compile
[INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] | | \- commons-logging:commons-logging:jar:1.2:compile
[INFO] | +- commons-codec:commons-codec:jar:1.15:compile
[INFO] | +- commons-io:commons-io:jar:2.16.1:compile
[INFO] | +- commons-net:commons-net:jar:3.9.0:compile
[INFO] | +- org.apache.commons:commons-collections4:jar:4.4:compile
[INFO] | +- jakarta.activation:jakarta.activation-api:jar:1.2.1:compile
[INFO] | +- org.eclipse.jetty:jetty-servlet:jar:9.4.57.v20241219:compile
[INFO] | | +- org.eclipse.jetty:jetty-security:jar:9.4.57.v20241219:compile
[INFO] | | \- org.eclipse.jetty:jetty-util-ajax:jar:9.4.57.v20241219:compile
[INFO] | +- org.eclipse.jetty:jetty-webapp:jar:9.4.57.v20241219:compile
[INFO] | | \- org.eclipse.jetty:jetty-xml:jar:9.4.57.v20241219:compile
[INFO] | +- javax.servlet.jsp:jsp-api:jar:2.1:runtime
[INFO] | +- com.sun.jersey:jersey-servlet:jar:1.19.4:compile
[INFO] | +- ch.qos.reload4j:reload4j:jar:1.2.22:compile
[INFO] | +- org.apache.commons:commons-configuration2:jar:2.10.1:compile
[INFO] | +- org.apache.commons:commons-lang3:jar:3.18.0:compile
[INFO] | +- org.apache.commons:commons-text:jar:1.14.0:compile
[INFO] | +- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] | +- org.apache.avro:avro:jar:1.11.4:compile
[INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.14.3:compile
[INFO] | +- com.google.re2j:re2j:jar:1.1:compile
[INFO] | +- com.google.code.gson:gson:jar:2.9.0:compile
[INFO] | +- org.apache.hadoop:hadoop-auth:jar:3.4.3:compile
[INFO] | | +- com.nimbusds:nimbus-jose-jwt:jar:10.4:compile
[INFO] | | +- org.apache.curator:curator-framework:jar:5.2.0:compile
[INFO] | | \- org.apache.kerby:kerb-util:jar:2.0.3:compile
[INFO] | | +- org.apache.kerby:kerby-config:jar:2.0.3:compile
[INFO] | | \- org.apache.kerby:kerb-crypto:jar:2.0.3:compile
[INFO] | +- org.apache.curator:curator-client:jar:5.2.0:compile
[INFO] | +- org.apache.curator:curator-recipes:jar:5.2.0:compile
[INFO] | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] | +- io.netty:netty-handler:jar:4.1.127.Final:compile
[INFO] | | +- io.netty:netty-common:jar:4.1.127.Final:compile
[INFO] | | +- io.netty:netty-resolver:jar:4.1.127.Final:compile
[INFO] | | +- io.netty:netty-buffer:jar:4.1.127.Final:compile
[INFO] | | +- io.netty:netty-transport:jar:4.1.127.Final:compile
[INFO] | | +- io.netty:netty-transport-native-unix-common:jar:4.1.127.Final:compile
[INFO] | | \- io.netty:netty-codec:jar:4.1.127.Final:compile
[INFO] | +- io.netty:netty-transport-native-epoll:jar:4.1.127.Final:compile
[INFO] | | \- io.netty:netty-transport-classes-epoll:jar:4.1.127.Final:compile
[INFO] | +- io.dropwizard.metrics:metrics-core:jar:3.2.4:compile
[INFO] | +- org.apache.commons:commons-compress:jar:1.26.1:compile
[INFO] | +- org.bouncycastle:bcprov-jdk18on:jar:1.82:compile
[INFO] | +- org.apache.kerby:kerb-core:jar:2.0.3:compile
[INFO] | | \- org.apache.kerby:kerby-pkix:jar:2.0.3:compile
[INFO] | | +- org.apache.kerby:kerby-asn1:jar:2.0.3:compile
[INFO] | | \- org.apache.kerby:kerby-util:jar:2.0.3:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.7.1:compile
[INFO] | +- org.codehaus.woodstox:stax2-api:jar:4.2.1:compile
[INFO] | +- com.fasterxml.woodstox:woodstox-core:jar:5.4.0:compile
[INFO] | +- dnsjava:dnsjava:jar:3.6.1:compile
[INFO] | \- org.xerial.snappy:snappy-java:jar:1.1.10.4:compile
{...}
If you follow the advise and then remove the slf4j-reload4j exclusion and re-execute:
[INFO] --- dependency:3.10.0:analyze-exclusions (default-cli) @ reproducer ---
[INFO]
[INFO] --- dependency:3.10.0:tree (default-cli) @ reproducer ---
[INFO] com.example:reproducer:jar:0.0.1-SNAPSHOT
[INFO] \- org.apache.hadoop:hadoop-client:jar:3.4.3:compile
[INFO] +- org.apache.hadoop:hadoop-common:jar:3.4.3:compile
{...}
[INFO] | +- org.slf4j:slf4j-reload4j:jar:1.7.36:compile
You can see the exclusion wasn't unused after all, as without it the slf4j-reload4j dependency appears in the tree
Affected version
3.10
Bug description
Take the following
pom.xml:The output of
mvn dependency:3.10.0:analyze-exclusions dependency:3.10.0:treeis:If you follow the advise and then remove the
slf4j-reload4jexclusionand re-execute:You can see the
exclusionwasn't unused after all, as without it theslf4j-reload4jdependency appears in the tree