Make com.fasterxml.jackson.core:jackson-core dependency optional

[mbasmanova]

I'm trying to upgrade to ESRI 2.1.0, but it requires 2.9.4 version of com.fasterxml.jackson.core:jackson-core. My project - https://prestodb.io/ - currently uses jackson-core:2.8.1 and can't upgrade to jackson-core:2.9.4 due to a regression FasterXML/jackson-databind#1972 . Since I don't use any GeoJSON features yet, I tried to exclude the dependency, but it is not optional.

Would it be possible to make this dependency optional?

[randallwhitman]

Hi Maria - does it work to effectively ignore the version of the dependency declared in the Geometry POM, by overriding it in your POM? For example, with Spatial Framework for Hadoop, I just ran mvn clean test -Pjackson-2.8 and it built and tested successfully.
@mbasmanova

[randallwhitman]

Btw see also #151 , CVE-2017-7525

[mbasmanova]

@randallwhitman

Hi Maria - does it work to effectively ignore the version of the dependency declared in the Geometry POM, by overriding it in your POM?

This doesn't seem to work. How is this supposed to work?

[randallwhitman]

I was thinking an entry in dependencyManagement, in the top-level pom.xml file.
(In the example a few hours ago, I used a non-default maven profile when testing, because the Jackson version in spatial-framework-for-hadoop dependencyManagement is now the same version as in Geometry.)
https://github.com/Esri/spatial-framework-for-hadoop/blob/master/pom.xml#L332..L366

[mbasmanova]

@randallwhitman Randall, dependencyManagement applies only to child POMs. It doesn't change how the actual dependencies has been built.

[randallwhitman]

I'd think that at runtime it would use the version present even if built against a different version.
Maybe I'm not understanding the real issue here. @stolstov Are you understanding the issue?

[stolstov]

@mbasmanova I googled around and maybe this is what you want. I have not tried this:

<dependency>
  <groupId>com.esri.geometry</groupId>
  <artifactId>esri-geometry-api</artifactId>
  <version>2.1.0</version>
  <exclusions>
        <exclusion>
            <groupId>com.fasterxml.jackson.core</groupId>
	    <artifactId>jackson-core</artifactId>
        </exclusion>
   </exclusions>
</dependency>

https://stackoverflow.com/questions/6542118/override-dependencies-of-third-party-jar-in-maven?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa

POM doc exclusions:
http://maven.apache.org/pom.html#Exclusions

[randallwhitman]

Ah yes, in Spatial Framework for Hadoop we have an exclusion with Hive-.14 version profile :)

[mbasmanova]

@stolstov Sergey, I tried that, but it doesn't work because jackson-core is not an optional dependency:

https://github.com/Esri/geometry-api-java/blob/master/pom.xml#L111

		<dependency>
			<groupId>com.fasterxml.jackson.core</groupId>
			<artifactId>jackson-core</artifactId>
			<version>${jackson.version}</version>
			<optional>false</optional>
		</dependency>

Would it be possible to change the above to <optional>true</optional>?

[stolstov]

@mbasmanova Did the maven behavior change for this? The docs that I found say explicitly that the exclusions can be used on the non-optional dependencies.

[mbasmanova]

@stolstov @randallwhitman Oh... sorry for confusion. I was adding the exclusion to dependencyManagement in the parent pom and that didn't work. I then added it to all the child pom files and that seems to be working. Thanks for helping to sort this out!