I have a spring boot project (2.1.3) in which I had to add a jar file supplied by one of our partners (Referred with com.aesenc group id). I added it as a system scoped dependency even though it is against the recommendation as this repo already had other system scoped dependencies (will address this in future). This broke one of the API calls due to a transitive dependency in the parnter-supplied jar (commons-codec). Spring boot started using this commons-codec instead of the one that came with the spring bom. To resolve the issue I added exclusion to the system scoped dependency
<dependency>
<groupId>aesenc.group</groupId>
<artifactId>com.aesenc</artifactId>
<version>1.0</version>
<scope>system</scope>
<exclusions>
<exclusion> <!-- declare the exclusion here -->
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
</exclusion>
</exclusions>
<systemPath>${basedir}/src/main/resources/libs/AESEnc/AESEnc.jar</systemPath>
</dependency>
This didn't solve the issue. So after going through the maven documentation I added commons-codec updated version as a dependency in the current project to make it an immediate child in the dependency graph
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.15</version>
</dependency>
This alone also didn't solve the issue. But by moving it above the com.aesenc in the pom file the issue got resolved. So I'm confused about my understanding of how dependency resolution is happening in Maven.
This didn't work:
My project +
|
+-aesenc-+
| |
| +commons-codec-v1.10
|
+commons-codec-v1.15
My assumption is that this is how the dependency tree is and just by adding v1.15 as a dependency would have solved the issue irrespective of the ordering of it in pom.
This worked:
My project +
|
+commons-codec-v1.15
|
+-aesenc-+
|
+commons-codec-v1.10
Would like to know where my assumptions have gone wrong.