Bug 65670

Summary: Dependency convergence issue with org.osgi.core (v4.3.1 and v6.0.0) in POI 5.1.0
Product: POI Reporter: Daniel Subelman <dsubelman>
Component: POI OverallAssignee: POI Developers List <dev>
Status: NEW ---    
Severity: minor    
Priority: P2    
Version: unspecified   
Target Milestone: ---   
Hardware: Macintosh   
OS: other   

Description Daniel Subelman 2021-11-05 00:10:47 UTC
Dependency convergence issue with org.osgi.core (v4.3.1 and v6.0.0).

On one hand, poi and poi-ooxml-full have log4j as a dependency, which uses org.osgi.core v4.3.1.
On the other hand, poi-ooxml has commons-compress as a dependency, which uses org.osgi.core v6.0.0.

Here is maven-enforcer-plugin report:

+-org.apache.poi:poi:jar:5.1.0:compile
  +-org.apache.logging.log4j:log4j-api:jar:2.14.1:compile
    +-org.osgi:org.osgi.core:jar:4.3.1:runtime
and
+-org.apache.poi:poi-ooxml:jar:5.1.0:compile
  +-org.apache.commons:commons-compress:jar:1.21:compile
    +-org.osgi:org.osgi.core:jar:6.0.0:provided
and
+-org.apache.poi:poi-ooxml-full:jar:5.1.0:compile
  +-org.apache.logging.log4j:log4j-core:jar:2.14.1:runtime
    +-org.osgi:org.osgi.core:jar:4.3.1:runtime

As a workaround to get rid of the "maven-enforcer" violation I modify the pom to:

<dependency>
    <groupId>org.apache.poi</groupId>
    <artifactId>poi</artifactId>
    <version>5.1.0</version>
</dependency>

<dependency>
    <groupId>org.apache.poi</groupId>
    <artifactId>poi-ooxml</artifactId>
    <version>5.1.0</version>
    <exclusions>
        <exclusion>
            <groupId>org.osgi</groupId>
            <artifactId>org.osgi.core</artifactId>
        </exclusion>
    </exclusions>
</dependency>

I don't know what issues this exclusion can produce.
Comment 1 PJ Fanning 2021-11-05 00:20:14 UTC
Are you sure this causes any real issues? Generally, you just use the higher version of osgi.core. If you do that, does that stop log4j from working?

The real issue is that log4j and commons-compress have outdated dependencies on osgi.core - there is now an 8.0.0 release. 

You should really report that to those teams. Not much the POI team can do about it.
Comment 2 Daniel Subelman 2021-11-05 00:49:37 UTC
I'm not sure if this causes a real issue. I submit this maven-enforcer-plugin warning if the POI development team wants to directly tackle this convergence 'issue'.

I agree that both osgi.core versions are outdated and I'll report them to the respective teams. However, there is a chance that even if log4j and commons-compress update their versions they won't match when osgi.core releases a new version in the future (they probably won't update to the latest version at the same time given that they don't update versions regularly).