maven - transitive dependencies [duplicate]

Question

This question already has answers here:

Maven : Should I keep or remove declared dependencies that are also transitives dependencies? (2 answers)

Closed 9 years ago.

I am trying to follow best practices when defining data in pom.xml, so I started to look into the Spring source code, and I have seen:

<project xmlns="http://maven.apache.org/POM/4.0.0"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <modelVersion>4.0.0</modelVersion>
  <groupId>org.springframework</groupId>
  <artifactId>spring-aop</artifactId>
  <packaging>jar</packaging>
  <version>3.1.1.RELEASE</version>
.....

<dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-beans</artifactId>
      <version>${project.version}</version>
      <scope>compile</scope>
</dependency>

---

<dependency>
      <groupId>log4j</groupId>
      <artifactId>log4j</artifactId>
      <scope>test</scope>
</dependency>
-----

But, spring-beans also has a dependency on log4j.

Can you please tell me, for the best practice methods, on what extent should you rely on transitive dependencies?

I am asking this because my first thought was not to redeclare the log4j dependency, since spring-beans had already declared it.

Answer 1

Declare dependencies that you explicitly rely on, whether it provides classes you directly import and use or it's something that provides a service you directly use, like Log4J. Transitive dependencies should only supply dependencies that are needed at runtime but that you don't use yourself.

Answer 2

There are two parts for this:

The log4j is declare for "test" scope, and it will not be part of finalized output (jar/war...). So When spring-beans depend on log4j for their test (scope), that does not mean there is a transitive dependency for projects that uses spring-beans at provided or runtime (scopes).

Dependency scope - this allows you to only include dependencies appropriate for the current stage of the build. ... test: This scope indicates that the dependency is not required for normal use of the application, and is only available for the test compilation and execution phases. (Apache)

The second part that:

When the version of dependency is not specify, then it relies on "other" pom for managing the dependency. So the dependency is transitive and managed by other. "dependency management"

Dependency management - this allows project authors to directly specify the versions of artifacts to be used when they are encountered in transitive dependencies or in dependencies where no version has been specified. (Apache)

Maven Apache transitive dependency