Maven dependency org.hibernate.validator 7.0.1.Final with differing dependencies in projects-CodePudding

in two different maven projects, we include the same dependency: hibernate-validator 7.0.1.Final like this:

        <dependency>
            <groupId>org.hibernate.validator</groupId>
            <artifactId>hibernate-validator</artifactId>
            <version>7.0.1.Final</version>
        </dependency>

Running mvn dependency:list gives the following results.

Project A:

[INFO]  - org.hibernate.validator:hibernate-validator:jar:7.0.1.Final:compile
[INFO] |   - jakarta.validation:jakarta.validation-api:jar:2.0.2:compile
[INFO] |   - org.jboss.logging:jboss-logging:jar:3.4.2.Final:compile
[INFO] |  \- com.fasterxml:classmate:jar:1.5.1:compile

Running mvn dependency:list-repositories for this project gives:

[INFO] Repositories used by this build:
[INFO]        id: sonatype-nexus-snapshots
      url: https://oss.sonatype.org/content/repositories/snapshots
   layout: default
snapshots: [enabled => true, update => daily]
 releases: [enabled => false, update => daily]

[INFO]        id: spy
      url: http://files.couchbase.com/maven2/
   layout: default
snapshots: [enabled => false, update => daily]
 releases: [enabled => true, update => daily]

[INFO]        id: apache.snapshots
      url: http://repository.apache.org/snapshots
   layout: default
snapshots: [enabled => true, update => daily]
 releases: [enabled => false, update => daily]

[INFO]        id: apache.snapshots
      url: https://repository.apache.org/snapshots
   layout: default
snapshots: [enabled => true, update => daily]
 releases: [enabled => false, update => daily]

[INFO]        id: shibboleth-repo
      url: https://build.shibboleth.net/nexus/content/repositories/releases/
   layout: default
snapshots: [enabled => true, update => daily]
 releases: [enabled => true, update => daily]

[INFO]        id: central
      url: https://repo.maven.apache.org/maven2
   layout: default
snapshots: [enabled => false, update => daily]
 releases: [enabled => true, update => daily]

Project B:

[INFO]  - org.hibernate.validator:hibernate-validator:jar:7.0.1.Final:compile
[INFO] |   - jakarta.validation:jakarta.validation-api:jar:3.0.0:compile
[INFO] |   - org.jboss.logging:jboss-logging:jar:3.4.1.Final:compile
[INFO] |  \- com.fasterxml:classmate:jar:1.5.1:compile

Running mvn dependency:list-repositories for this project gives:

[INFO] Repositories Used by this build:
[INFO]       id: central
      url: https://repo.maven.apache.org/maven2
   layout: default
snapshots: [enabled => false, update => daily]
 releases: [enabled => true, update => daily]

[INFO]       id: project.local
      url: file:C:\*****\*****/repo
   layout: default
snapshots: [enabled => true, update => daily]
 releases: [enabled => true, update => daily]

[INFO]       id: apache.snapshots
      url: https://repository.apache.org/snapshots
   layout: default
snapshots: [enabled => true, update => daily]
 releases: [enabled => false, update => daily]

Until now I thought dependencies of a dependency would be always the same, given that the version is the same, but this result makes me doubt that.

Has this to do with other dependencies in the projects? Might this be a result of the projects using different repositories?

CodePudding user response：

Dependencies of the org.hibernate.validator:hibernate-validator:jar:7.0.1.Final can be found on MvnRespository. Compile Dependencies section of this artifact shows that is uses jakarta.validation:jakarta.validation-api:jar:3.0.0 and org.jboss.logging:jboss-logging:jar:3.4.1 (among others).

That means that in project A something actually overrides those transitive dependencies. You could check the following link for more information how it is possible. Basically it looks like the project A pom (or the parent pom of this project) declares dependencies towards jakarta.validation-api and jboss-logging which would then be picked by Maven as it searches for "nearest definition" dependencies.