[MENFORCER-402] RequireUpperBoundDeps now follow scope provided transitive dependencies (original) (raw)

I have a dependency on org.infinispan:infinispan-core:12.1.7.Final and upgrading to the enforcer plugin 3.0.0 suddenly made my module fail because infinispan-core have conflicting provided dependencies on javax.annotation-api:

Require upper bound dependencies error for javax.annotation:javax.annotation-api:1.3.1 [provided] paths to dependency are: +-org.xwiki.commons:xwiki-commons-cache-infinispan:13.9-SNAPSHOT +-org.infinispan:infinispan-core:12.1.7.Final +-javax.annotation:javax.annotation-api:1.3.1 [provided] and +-org.xwiki.commons:xwiki-commons-cache-infinispan:13.9-SNAPSHOT +-org.infinispan:infinispan-core:12.1.7.Final +-org.infinispan:infinispan-commons:12.1.7.Final +-javax.annotation:javax.annotation-api:1.3.1 [provided] and +-org.xwiki.commons:xwiki-commons-cache-infinispan:13.9-SNAPSHOT +-org.infinispan:infinispan-core:12.1.7.Final +-org.infinispan:infinispan-component-processor:12.1.7.Final [provided] +-javax.annotation:javax.annotation-api:1.3.1 [provided] and +-org.xwiki.commons:xwiki-commons-cache-infinispan:13.9-SNAPSHOT +-org.infinispan:infinispan-core:12.1.7.Final +-org.infinispan.protostream:protostream-types:4.4.1.Final +-javax.annotation:javax.annotation-api:1.3.2 [provided] and +-org.xwiki.commons:xwiki-commons-cache-infinispan:13.9-SNAPSHOT +-org.infinispan:infinispan-core:12.1.7.Final +-org.infinispan.protostream:protostream-processor:4.4.1.Final [provided] +-javax.annotation:javax.annotation-api:1.3.2 [provided] and +-org.xwiki.commons:xwiki-commons-cache-infinispan:13.9-SNAPSHOT +-org.infinispan:infinispan-core:12.1.7.Final +-org.infinispan:infinispan-commons:12.1.7.Final +-org.infinispan:infinispan-commons-jdk11:12.1.7.Final [provided] +-javax.annotation:javax.annotation-api:1.3.1 [provided]

It's not clear if this was done on purpose since I cannot find anything about that in the release note, but I might have missed it. Problem is that provided scope dependencies are not necessarily used at runtime (it's often used as a way to avoid making transitive a dependency you only need at build time) and adding an for a non-transitive dependency feels quite weird.

At least if this is not a bug, it would be nice to make this behavior configurable.