Skip to content

Fix dependency management logic resolution order #6554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
timtebeek merged 4 commits into from
Jan 16, 2026
Merged

Fix dependency management logic resolution order #6554

timtebeek merged 4 commits into from
Jan 16, 2026
+208 −127

Conversation

@shanman190
Copy link
Contributor

@shanman190 shanman190 commented Jan 16, 2026

What's changed?

  • Maven does not merge managed dependency attributes. It replaces them entirely.
  • When a managed dependency doesn't have a version, it short circuits and effectively removes the managed dependency rules.
  • Given we resolve managed versions starting from the closest, then going to the furthest entries, we should retain the first encountered entry. If that entry comes from a BOM, then the nearest parent managed dependency can override it.

What's your motivation?

Encountered a diamond problem which illustrated an issue with managed dependency handling.

Anything in particular you'd like reviewers to focus on?

N/A

Anyone you would like to review specifically?

@timtebeek @sambsnyd

Have you considered any alternatives or workarounds?

N/A

Any additional context

I did clean up one extra test to be a bit more idiomatic with OpenRewrite standards.

Checklist

  • I've added unit tests to cover both positive and negative cases
  • I've read and applied the recipe conventions and best practices
  • I've used the IntelliJ IDEA auto-formatter on affected files

@shanman190 shanman190 self-assigned this Jan 16, 2026
@shanman190 shanman190 added the bug Something isn't working label Jan 16, 2026
@github-project-automation github-project-automation bot moved this to In Progress in OpenRewrite Jan 16, 2026
timtebeek
timtebeek approved these changes Jan 16, 2026
View reviewed changes
Copy link
Member

@timtebeek timtebeek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice find, thanks! Couple quick suggestions, but otherwise looks ok to me.

@github-project-automation github-project-automation bot moved this from In Progress to Ready to Review in OpenRewrite Jan 16, 2026
sambsnyd
sambsnyd approved these changes Jan 16, 2026
View reviewed changes
Copy link
Member

@sambsnyd sambsnyd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with Tim's feedback about the tests

timtebeek
timtebeek approved these changes Jan 16, 2026
View reviewed changes
Copy link
Member

@timtebeek timtebeek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for the research, fix and adjustments!

@timtebeek timtebeek merged commit 0b21dd4 into main Jan 16, 2026
2 checks passed
@timtebeek timtebeek deleted the bugfix/maven-dependency-management branch January 16, 2026 23:02
@github-project-automation github-project-automation bot moved this from Ready to Review to Done in OpenRewrite Jan 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@timtebeek timtebeek timtebeek approved these changes

@sambsnyd sambsnyd sambsnyd approved these changes

Assignees

@shanman190 shanman190

Labels

bug Something isn't working maven parser

Projects

OpenRewrite
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@shanman190 @timtebeek @sambsnyd