Skip to content

Fix BOM version resolution for sibling modules in dependencyManagement#12416

Open
Hiteshsai007 wants to merge 5 commits into
apache:masterfrom
Hiteshsai007:maven-11147-bom-version-resolution
Open

Fix BOM version resolution for sibling modules in dependencyManagement#12416
Hiteshsai007 wants to merge 5 commits into
apache:masterfrom
Hiteshsai007:maven-11147-bom-version-resolution

Conversation

@Hiteshsai007

@Hiteshsai007 Hiteshsai007 commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Description

This PR addresses, fixing a regression in Maven 4 where version and groupId inference were skipped for dependencies declared within the <dependencyManagement> section of a BOM-packaged project.

Issue: #11147

How it works:
I updated the transformFileToRaw method within DefaultModelBuilder to ensure that model.getDependencyManagement().getDependencies() is processed with the same inferDependencyVersion and inferDependencyGroupId logic that is already applied to direct dependencies (model.getDependencies()).

Why this is necessary:
Previously, if a BOM subproject declared sibling reactor modules within its <dependencyManagement> block but omitted the <version> tags (expecting them to be resolved from the reactor), the transformation to the raw model would skip them entirely. This resulted in the installed consumer POM missing the required version tags for those managed dependencies. This change ensures that the reactor versions are properly inherited and written to the consumer POM.

Testing:

  • Successfully verified the fix locally using the bom-example reproducer provided in the issue, confirming that the resulting consumer POM now contains the correctly inferred versions.
  • Formatted with spotless:apply and successfully passed all maven-impl unit tests. Note: Due to the complexity of simulating a full multi-module reactor state directly within DefaultModelBuilderTest, a standalone unit test for this specific code path was omitted in favor of the reproducer validation.

Following this checklist to help us incorporate your
contribution quickly and easily:

  • Your pull request should address just one issue, without pulling in other changes.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • Each commit in the pull request should have a meaningful subject line and body.
    Note that commits might be squashed by a maintainer on merge.
  • Write unit tests that match behavioral changes, where the tests fail if the changes to the runtime are not applied.
    This may not always be possible but is a best-practice.
  • Run mvn verify to make sure basic checks pass.
    A more thorough check will be performed on your pull request automatically.
  • You have run the Core IT successfully.

If your pull request is about ~20 lines of code you don't need to sign an
Individual Contributor License Agreement if you are unsure
please ask on the developers list.

To make clear that you license your contribution under
the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.

@elharo elharo changed the title Fix BOM version resolution for sibling modules in dependencyManagement [MNG-11147] Fix BOM version resolution for sibling modules in dependencyManagement Jul 5, 2026

@elharo elharo left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Needs tests
  2. Needs a link to github issue

@Hiteshsai007 Hiteshsai007 changed the title [MNG-11147] Fix BOM version resolution for sibling modules in dependencyManagement #11147 Fix BOM version resolution for sibling modules in dependencyManagement Jul 5, 2026
@Hiteshsai007

Copy link
Copy Markdown
Contributor Author

@elharo Thanks for the review! I've addressed both items:

  1. Tests: Added testBomDependencyManagementVersionInference() in DefaultModelBuilderTest that verifies version inference works for dependencies in <dependencyManagement>, not just <dependencies>. The test registers a sibling module in the reactor, then calls transformFileToRaw on a BOM model with a managed dependency missing its version, and asserts the version is correctly inferred.

  2. Issue link: Updated the PR description to include Fixes #11147.

All 13 tests in DefaultModelBuilderTest pass with zero failures.

@Hiteshsai007 Hiteshsai007 requested a review from elharo July 5, 2026 15:22
@elharo elharo changed the title #11147 Fix BOM version resolution for sibling modules in dependencyManagement Fix BOM version resolution for sibling modules in dependencyManagement Jul 6, 2026
@Hiteshsai007 Hiteshsai007 requested a review from elharo July 6, 2026 13:47

@gnodet gnodet left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: Fix BOM version resolution for sibling modules in dependencyManagement

The core fix is correct and well-targeted — transformFileToRaw was only processing model.getDependencies() and ignoring model.getDependencyManagement().getDependencies(), which is the root cause of issue #11147. The fix correctly extends the same inferDependencyVersion and inferDependencyGroupId logic to managed dependencies. The test demonstrates the fix works, and the test POM files are well-structured.

Minor observations

1. Unnecessary list copy when only dependencyManagement changes (low)
impl/maven-impl/src/main/java/org/apache/maven/impl/model/DefaultModelBuilder.java

When model.getDependencies() is non-empty (so newDeps is allocated) but only mgmtChanged flips changed to true, the code enters if (changed) and then if (newDeps != null) passes, calling builder.dependencies(newDeps) with an identical list. This is harmless but creates an unnecessary copy. Consider tracking a separate boolean depsChanged flag.

2. Duplicated loop logic (low)

The for-loop bodies for regular dependencies and dependencyManagement dependencies are near-identical, differing only in the source list, target list, and changed-flag variable. Consider extracting a helper method to reduce duplication — though this is minor with only two occurrences.

Overall this is a clean, well-scoped fix. CI should be triggered (rebase to master) to validate the full test suite.

This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.

Claude Code on behalf of Guillaume Nodet

gnodet added a commit to gnodet/maven that referenced this pull request Jul 9, 2026
Reviewed 3 PRs: apache#12416 (BOM version resolution fix), apache#12410 (path-traversal
re-review), apache#11818 (@nullable annotations). 5 findings verified, 5 false
positives dropped.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Hiteshsai007 Hiteshsai007 force-pushed the maven-11147-bom-version-resolution branch from dd646fb to e0ba241 Compare July 10, 2026 04:35
…d separately

- Extract inferDependencies() helper method to deduplicate the near-identical for-loop bodies for regular dependencies and dependencyManagement dependencies

- Track separate depsChanged/mgmtChanged booleans to avoid unnecessary list copy when only dependencyManagement changes
@Hiteshsai007

Copy link
Copy Markdown
Contributor Author

Thanks for the review @gnodet! Both suggestions have been addressed in the latest commit:

1. Unnecessary list copy fix:
Replaced the single boolean changed flag with separate boolean depsChanged and boolean mgmtChanged flags. Now builder.dependencies(newDeps) is only called when regular dependencies actually changed, avoiding the unnecessary copy when only dependencyManagement was modified.

2. Duplicated loop logic:
Extracted a new inferDependencies(Model, List<Dependency>, List<Dependency>) helper method that encapsulates the shared loop logic for inferring missing version/groupId. Both the regular dependencies and dependencyManagement dependencies processing now delegate to this single method, eliminating the duplication.

The branch has also been rebased onto the latest master to trigger CI.

@Hiteshsai007 Hiteshsai007 requested a review from gnodet July 10, 2026 04:47

@gnodet gnodet left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-review — New Commit

The latest commit (acbea96) cleanly addresses both concerns from the previous review:

  1. Unnecessary list copy — Fixed by tracking separate depsChanged and mgmtChanged flags, so builder.dependencies(newDeps) is only called when regular dependencies actually changed.
  2. Duplicated loop logic — Extracted into a private inferDependencies helper method with proper Javadoc. Clean and well-structured.

The core fix remains correct and well-scoped. The test follows existing conventions in DefaultModelBuilderTest and exercises the specific scenario from issue #11147.

Minor Observations

  • The test asserts assertNotNull(managedDep.getVersion()) but does not check the specific expected version value — asserting "1.0-SNAPSHOT" would make failures more diagnosable.
  • elharo's earlier CHANGES_REQUESTED reviews (needs tests, needs issue URL) have both been addressed.

No CI checks are reported for this branch — a rebase may be needed to trigger CI. ✅


This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.

Claude Code on behalf of Guillaume Nodet

gnodet added a commit to gnodet/maven that referenced this pull request Jul 10, 2026
Re-reviewed PRs apache#12419, apache#12417, apache#12416 after new commits.
- apache#12419: APPROVE (formatting fix only)
- apache#12417: COMMENT (improved but still no tests, BOM filter bug)
- apache#12416: APPROVE (prior concerns addressed)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Hiteshsai007

Copy link
Copy Markdown
Contributor Author

Thanks for the review and the approval, @gnodet!

I've just pushed a small follow-up commit to address your minor observations:

  • Updated the test assertion from assertNotNull(managedDep.getVersion()) to assertEquals("1.0-SNAPSHOT", managedDep.getVersion()) to make any potential failures more diagnosable.
  • Pushed the latest changes to the branch, which should re-trigger the CI checks.

Waiting on the CI results now!

@Hiteshsai007 Hiteshsai007 requested a review from gnodet July 10, 2026 06:23

@gnodet gnodet left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-review — Feedback Addressed

The new commit (d932300) addresses the observation from the previous review: the test now uses assertEquals("1.0-SNAPSHOT", managedDep.getVersion(), "Version should be inferred from the reactor sibling module") instead of assertNotNull(managedDep.getVersion()), making test failures more diagnosable. ✅

No other changes — PR remains clean.


This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.

Claude Code on behalf of Guillaume Nodet

gnodet added a commit to gnodet/maven that referenced this pull request Jul 10, 2026
Author addressed assertion feedback from previous review.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants