[#1637] Fix dependency:add routing versioned deps into dependencyManagement#1638
Merged
slawekjaranowski merged 1 commit intoJun 11, 2026
Merged
Conversation
…cyManagement
The `dependency:add` goal incorrectly added a versioned dependency to the
current POM's <dependencyManagement> instead of <dependencies> when the
project's existing dependencies are version-less because their versions come
from a BOM import (the standard maven-archetype-quickstart layout).
With align=true (default), detectConventions() set useManaged=true purely
because most <dependencies> were version-less, even though no parent POM
existed to host the managed entry. The result was written to the current
POM's <dependencyManagement>, which contradicts the documented behavior of
the `align` parameter ("add managed dependency to parent POM") and means the
dependency was never actually added to the project.
The auto-detected useManaged convention now only applies when a separate
parent POM exists to host the managed dependency. For a single/leaf POM a
versioned add goes to <dependencies>. Explicit -Dmanaged=true is unchanged.
Adds an integration test (add-dependency/bom-import) reproducing the case.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
Author
|
Hey folks, can I get a review on this fix? |
slawekjaranowski
requested changes
Jun 9, 2026
Comment on lines
+32
to
+38
| <dependency> | ||
| <groupId>org.junit</groupId> | ||
| <artifactId>junit-bom</artifactId> | ||
| <version>5.11.0</version> | ||
| <type>pom</type> | ||
| <scope>import</scope> | ||
| </dependency> |
Member
There was a problem hiding this comment.
I hope we can use for such example any no existing artifacts, (like org.example:bom) as ddd mojo not require dependencies resolving, or we can add next mock artifact like a1 is.
When we merge it dependabot will try to updates it, and we will have next maintenance works on list
Contributor
Author
There was a problem hiding this comment.
@slawekjaranowski can we merge this one as is, and I will submit another PR changing all artifacts to non-existent examples.
Member
There was a problem hiding this comment.
ok, waiting for next PR 😄
slawekjaranowski
approved these changes
Jun 11, 2026
|
@slawekjaranowski Please assign appropriate label to PR according to the type of change. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1637
Problem
dependency:addwith an explicit version added the dependency to the current POM's<dependencyManagement>instead of<dependencies>when the project's existing dependencies are version-less because their versions come from a BOM import — the layout produced bymaven-archetype-quickstart.With
align=true(default),detectConventions()setuseManaged=truepurely because most<dependencies>were version-less. As there was no parent POM to host the managed entry (findManagedDepsPom()returnednull), the dependency was written into the current POM's<dependencyManagement>— so it was never actually added as a usable dependency. This also contradicts thealignJavadoc, which says the convention is to "add managed dependency to parent POM".Fix
The auto-detected
useManagedconvention now only applies when a separate parent POM actually exists to host the managed dependency. For a single/leaf POM, a versioned add goes to<dependencies>. Explicit-Dmanaged=trueis unchanged and still targets<dependencyManagement>.Testing
src/it/projects/add-dependency/bom-importreproduces the quickstart/BOM-import scenario and asserts the dependency lands in<dependencies>and not in<dependencyManagement>.AddDependencyMojoTestandspotless:checkpass.commons-lang3:3.20.0is now correctly added to<dependencies>.