We Keep Coding

Maven dependencies wrong version for okhttp3 mockwebserver

I am trying to use okhttp3.mockwebserver with my Spring boot project and I find out that okhttp3:mockwebserver:jar:3.14.9 is included instead of 4.9.1.
I have created small 'mock' projects to reproduce the issue I have in my prod.
The project is here https://github.com/mkarasik/okhttp-test
It contains two folders:
lib
This is a simple library including mockwebserver as dependency
pom.xml dependency
<dependencies>
...
<dependency>
<groupId>com.squareup.okhttp3</groupId>
<artifactId>mockwebserver</artifactId>
<version>4.9.1</version>
<exclusions>
<exclusion>
<artifactId>junit</artifactId>
<groupId>junit</groupId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
Maven dependencies tree
\- com.squareup.okhttp3:mockwebserver:jar:4.9.1:compile
+- com.squareup.okhttp3:okhttp:jar:3.14.9:compile
This is already wrong. Mockwebserver pom contains 4.9.1 okhttp artifact, however 3.14.9 is shown in tree
project
Simple Spring Boot app including lib project
<dependency>
<groupId>com.example</groupId>
<artifactId>lib</artifactId>
<version>0.0.1-SNAPSHOT</version>
<scope>test</scope>
</dependency>
Maven dependencies tree
\- com.example:lib:jar:0.0.1-SNAPSHOT:test
\- com.squareup.okhttp3:mockwebserver:jar:3.14.9:test
\- com.squareup.okhttp3:okhttp:jar:3.14.9:test
\- com.squareup.okio:okio:jar:1.17.2:test
The same problem is here. okhttp3:mockwebserver:jar:3.14.9 is included instead of 4.9.1 as it is specified in my lib pom.xml.
Is there anything I am missing in my xml configuration?

Found it it it is described in Introducing dependencies in other projects causes Maven to downgrade okhttp3 version
<properties>
<okhttp3.version>4.9.1</okhttp3.version>
</properties>
Fixes the issue

OkHttp provides a Maven BOM you can use to ensure a consistent version
https://github.com/square/okhttp#releases
Also, we have a bill of materials (BOM) available to help you keep
OkHttp artifacts up to date and be sure about version compatibility.
This example is gradle, but you it is originally a feature from maven.
https://docs.gradle.org/6.2/userguide/platforms.html#sub:bom_import
dependencies {
// define a BOM and its version
implementation(platform("com.squareup.okhttp3:okhttp-bom:4.9.3"))
// define any required OkHttp artifacts without version
implementation("com.squareup.okhttp3:okhttp")
implementation("com.squareup.okhttp3:logging-interceptor")
}

Override library version in Spring

I have the spring-ws-security dependency in a Spring Boot 2.1.7 project:
<dependency>
<groupId>org.springframework.ws</groupId>
<artifactId>spring-ws-security</artifactId>
</dependency>
Internally, the spring-ws-security pom has this dependency:
<dependency>
<groupId>org.apache.wss4j</groupId>
<artifactId>wss4j-ws-security-dom</artifactId>
<version>${wss4j.version}</version>
<exclusions>
...
</exclusions>
</dependency>
The parent of spring-ws-security is spring-ws, whose pom has a property:
<wss4j.version>2.2.0</wss4j.version>
I am trying to override this property in my pom file:
<properties>
<wss4j.version>2.2.4</wss4j.version>
...
</properties>
But it keeps taking the original 2.2.0 version:
$ mvn dependency:tree | grep wss4j
[INFO] | +- org.apache.wss4j:wss4j-ws-security-dom:jar:2.2.0:compile
[INFO] | | \- org.apache.wss4j:wss4j-ws-security-common:jar:2.2.0:compile
It takes the 2.2.4 version only if I explicitly supply the dependencies:
<dependency>
<groupId>org.apache.wss4j</groupId>
<artifactId>wss4j-ws-security-dom</artifactId>
<version>2.2.4</version>
</dependency>
<dependency>
<groupId>org.apache.wss4j</groupId>
<artifactId>wss4j</artifactId>
<version>2.2.4</version>
<type>pom</type>
</dependency>
Isn't overriding the property enough? Am I doing something wrong?

Here there are two points to consider:
One if you want to override the version in the properties in pom.xml, then your pom should have a parent-child relationship
second is if you want to use a particular version then we need to
declare the required version in your pom.xml explicitly and may
exclude the dependency from the third party jar and do a mvn clean install
Here is more information on dependency management and properties in maven

As I know, if you leave it blank without define any version. it will get the newest version of its library. So, you are right if you want to override the newest version to old version or certain version, by put the specific version. Have you trying to "mvn clean install" for that project?

How to resolve "scanned from multiple locations" warnings caused by jersey

I have a Google App Engine project that I'm building with maven. I added jax-rs to it by adding the following bom to my pom:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.google.cloud</groupId>
<artifactId>google-cloud-bom</artifactId>
<version>0.73.0-alpha</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>org.glassfish.jersey</groupId>
<artifactId>jersey-bom</artifactId>
<version>2.27</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
Also I needed these three dependencies:
<dependency>
<groupId>org.glassfish.jersey.containers</groupId>
<artifactId>jersey-container-servlet</artifactId>
<exclusions>
<exclusion><!-- Exclude this repackaged javax.inject. -->
<groupId>org.glassfish.hk2.external</groupId>
<artifactId>javax.inject</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.inject</groupId>
<artifactId>jersey-hk2</artifactId>
<exclusions>
<exclusion><!-- Exclude this repackaged javax.inject. -->
<groupId>org.glassfish.hk2.external</groupId>
<artifactId>javax.inject</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.media</groupId>
<artifactId>jersey-media-json-binding</artifactId>
</dependency>
As you can see I have excluded some of the repackaged to get rid of some runtime warnings about duplicate classes being found. To be clear, every rest call using the jax-rs api's works fine and I don't see the warnings on google app engine itself, just locally. (full code at https://github.com/Leejjon/blindpool) When running it on the local jetty runtime using 'mvn appengine:run', it still complains about every json related class in the javax.json-1.1.jar and javax.json-api-1.1.jar.
Example
[INFO] GCLOUD: 2018-12-11 22:01:13.495:WARN:oeja.AnnotationParser:main: Unknown asm implementation version, assuming version 393216
[INFO] GCLOUD: 2018-12-11 22:01:13.780:WARN:oeja.AnnotationParser:qtp551734240-15: javax.json.Json scanned from multiple locations: jar:file:///C:/Users/Leejjon/IdeaProjects/Blindpool/backend/target/blindpool-1.0-SNAPSHOT/WEB-INF/lib/javax.json-api-1.1.jar!/javax/json/Json.class, jar:file:///C:/Users/Leejjon/IdeaProjects/Blindpool/backend/target/blindpool-1.0-SNAPSHOT/WEB-INF/lib/javax.json-1.1.jar!/javax/json/Json.class
When I look at my 'mvn dependency:tree' output I can see that my 'jersey-media-json-binding' dependency has both javax.json-1.1 and javax.json-api-1.1 in it. And they have classes that have the same names.
[INFO] +- org.glassfish.jersey.media:jersey-media-json-binding:jar:2.27:compile
[INFO] | +- org.glassfish:javax.json:jar:1.1:compile
[INFO] | +- org.eclipse:yasson:jar:1.0:compile
[INFO] | | +- javax.json:javax.json-api:jar:1.1:compile
[INFO] | | \- javax.enterprise:cdi-api:jar:2.0:compile
[INFO] | | +- javax.el:javax.el-api:jar:3.0.0:compile
[INFO] | | \- javax.interceptor:javax.interceptor-api:jar:1.2:compile
[INFO] | \- javax.json.bind:javax.json.bind-api:jar:1.0:compile
Full dependency tree (https://pastebin.com/JfwzavDX).
I have tried to exclude them but failed to do so in a way that didn't cause me to actually break my web app and get errors like: javax.servlet.ServletException: org.glassfish.jersey.server.ContainerException: java.lang.ExceptionInInitializerError
TLDR: What dependency to I exclude here to get rid of the duplicate location warning thrown by the 'mvn appengine:run' command without breaking the jax-rs application.
Hoping for that jax-rs/maven/jetty/jersey/google app engine god to pass by and point me in the right direction :)

Why are my nested maven dependencies not showing up when compiling

I have a library named my-library which I packaged with Maven and stored on a private Nexus repository. It compiles and gets uploaded to my repo correctly and has the following dependencies specified in its pom.xml file:
<dependencies>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>1.7.13</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
<version>3.1.0</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
</dependencies>
I am including this dependency in another project, my-child-project, using the following pom.xml blocks:
<repositories>
<repository>
<id>MyRepo</id>
<name>My Maven Repository</name>
<url>http://localhost:8081/nexus/repo</url>
</repository>
</repositories>
...
<dependencies>
<dependency>
<groupId>com.my.group</groupId>
<artifactId>my-library</artifactId>
<scope>compile</scope>
<version>1.0.0</version>
</dependency>
</dependencies>
When i run mvn clean install in my-child-project, it appears that maven is able to find and download my-library but not the nested dependency on com.google.protobuf unless i include it explicitly in the pom.xml for my-child-project. I can confirm that Maven can see my dependency but not the nested one when running mvn dependency:tree:
...
[INFO] +- org.springframework.data:spring-data-redis:jar:1.7.1.RELEASE:compile
[INFO] | +- org.springframework.data:spring-data-keyvalue:jar:1.1.1.RELEASE:compile
[INFO] | \- org.springframework:spring-oxm:jar:4.2.5.RELEASE:compile
[INFO] +- redis.clients:jedis:jar:2.8.1:compile
[INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:provided
[INFO] +- com.my.group:my-library:jar:1.0.0:compile
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.4.4:compile
...
Is this how a nested library dependency is supposed to work? I thought nested dependencies in other dependencies are automatically resolved and downloaded by Maven in compile scope. I was hoping to only list the nested dependency in my-library and not in my-child-project but it seems that doesn't work.

First, the parent pom.xml should add dependencyManagement tag outside the dependencies tag. This is just to manage the modules dependencies in one place, but not actually import them into your project.
You still have to declare it in your child module's pom. (But you can leave out the version tag, as that will be inherited from the parent pom)

#herokingsley's answer got me to the correct configuration. I was hesitating to try it because the answer seemed to suggest that i need to redeclare the nested dependency in my child. When i finally did try it i purposely did not declare the nested dependency in my-child-project and it still worked like a charm. Here is the code that solved my problem. I changed the code in my-library to the following:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
<version>3.1.0</version>
<scope>compile</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>1.7.13</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
</dependencies>
The above change was enough as it resulted in the following output when running mvn dependency:tree:
...
[INFO] +- org.springframework.data:spring-data-redis:jar:1.7.1.RELEASE:compile
[INFO] | +- org.springframework.data:spring-data-keyvalue:jar:1.1.1.RELEASE:compile
[INFO] | \- org.springframework:spring-oxm:jar:4.2.5.RELEASE:compile
[INFO] +- redis.clients:jedis:jar:2.8.1:compile
[INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:provided
[INFO] +- com.my.group:my-library:jar:1.0.0:compile
[INFO] | \- com.google.protobuf:protobuf-java:jar:3.1.0:compile
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.4.4:compile
...

Maven/Eclipse/Android upgrading API version

We have been using Android API version 17 in a project and wish to upgrade to API version 19 because the application runs on Android 4.4.
We use Maven as our build environment. I have replaced all the occurrences of SDK version 17 to 19 in our AndroidManifest.xml. But I am having problems upgrading to the 4.4 platform through Maven.
I used the Android SDK Deployer tool to push the android-4.4 package into my local Maven repository. I then replaced the reference to android-4.2 to android-4.4 in our 'parent' POM.xml:
<dependencyManagement>
<dependencies>
<dependency>
<!-- <groupId>com.google.android</groupId> OLD -->
<groupId>android</groupId>
<artifactId>android</artifactId>
<!-- <version>4.2.2_r2</version> OLD -->
<version>4.4.2_r4</version>
<scope>provided</scope>
</dependency>
This change seemed to introduce a conflict. Another dependency is bringing in version 2.1_r1 of android package which is conflicting with the new 4.4.2_r4 package:
Excerpt from 'mvn dependency:tree':
.
[INFO] +- com.github.tony19:logback-android-classic:jar:1.0.10-2:compile
[INFO] | \- com.github.tony19:apktool-lib:jar:1.4.4-3:compile
[INFO] | \- com.google.android:android:jar:2.1_r1:compile
[INFO] | +- org.khronos:opengl-api:jar:gl1.1-android-2.1_r1:compile
[INFO] | +- xerces:xmlParserAPIs:jar:2.6.2:compile
[INFO] | \- xpp3:xpp3:jar:1.1.4c:compile
I noticed that if I move the <dependency> declaration of the 4.4 package above the logback-android-classic dependency declaration in pom.xml then our module will use the 4.4 dependency. However I don't think this is a proper fix, and I am running into various issues building the project as a whole.
Can those more experienced with Maven please advise on the correct way to resolve this?

Going through each affected module and adding an exclusion to the logback-android-classic dependency seems to have resolved it:
<exclusions>
<exclusion>
<artifactId>android</artifactId>
<groupId>android</groupId>
</exclusion>
<exclusion>
<artifactId>android</artifactId>
<groupId>com.google.android</groupId>
</exclusion>
</exclusions>