The dependency tree for poi-ooxml-schemas looks like this: org.apache.poi:poi-ooxml-schemas:jar:3.7:compile +- org.apache.xmlbeans:xmlbeans:jar:2.3.0:compile | \- stax:stax-api:jar:1.0.1:compile \- org.apache.geronimo.specs:geronimo-stax-api_1.0_spec:jar:1.0:compile It would seem that geronimo's stax api was added as part of Bug 46758: https://issues.apache.org/bugzilla/show_bug.cgi?id=46758 The problem is that the stax-api dependency is essentially duplicated because xmlbeans uses stax:stax-api, while poi is using org.apache.geronimo.specs:geronimo-stax-api_1.0_spec. (If they used the same groupId/artifactId, then there would not be duplication as Maven would recognize these artifacts as being logically the same.) If you must keep with geronimo's stax-api, then I suggest excluding stax:stax-api. BTW... com.sun.xml.bind:jaxb-impl references javax.xml.stream:stax-api:jar:1.0:compile -- so this jar has 3 aliases.
I think we do need to keep our own stax api dependency, as it is required for some things. We want to use the geronimo one too, for licensing reasons I'd suggest therefore that we exclude the other stax api pulled in via xmlbeans. Any chance you (or another maven guru) could work out the appropriate lines to add into the pom to do that?
Sure. From: http://svn.apache.org/repos/asf/poi/trunk/maven/poi-ooxml-schemas.pom The dependency should be: <dependencies> <dependency> <groupId>org.apache.xmlbeans</groupId> <artifactId>xmlbeans</artifactId> <version>2.3.0</version> <!-- Excluding XMLBean's STAX because we want to use Geronimo's --> <exclusions> <exclusion> <groupId>stax</groupId> <artifactId>stax-api</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.apache.geronimo.specs</groupId> <artifactId>geronimo-stax-api_1.0_spec</artifactId> <version>1.0</version> </dependency> </dependencies> Adding the <exclusions> to the XMLBeans dependency would do the trick. (Might also be nice to upgrade XMLBeans, but I'm not sure if that needs to be a separate request.)
POI should run fine with stax:stax-api. Other Apache projects use this dependency I don't see why POI shouldn't. We used to depend on javax.xml.bind.jsr173_api and had to switch to geronimo's because of that licensing issue. stax:stax-api is ALv2 (see http://repo2.maven.org/maven2/stax/stax-api/1.0.1/stax-api-1.0.1.pom) and is fine from the licensing point of view. I checked locally and POI builds OK against stax:stax-api, both under JDK 1.5 and JDK 1.6, so I'm for abandoning geronimo and using stax-api. Perhaps, to be on the safe side, we can split the fix into two parts: (a) The short-term fix is to exclude stax-api from poi-ooxml-schemas.pom, as suggested above. This is definitely safe and we can push this fix in 3.8-beta1 (expected in early March) (b) The long-term fix is to abandon org.apache.geronimo.specs:geronimo-stax-api_1.0_spec and to use stax:stax-api. BTW, commons-logging:jar:1.1 has a weird dependency chain. What avalon-framework and servlet-api are doing here? $ mvn dependency:tree [INFO] Scanning for projects... [INFO] Searching repository for plugin with prefix: 'dependency'. [INFO] ------------------------------------------------------------------------ [INFO] Building Maven test project [INFO] task-segment: [dependency:tree] [INFO] ------------------------------------------------------------------------ [INFO] [dependency:tree {execution: default-cli}] [INFO] org.apache.poi.maven:maven-test:jar:1.0-beta [INFO] +- junit:junit:jar:3.8.1:test [INFO] \- org.apache.poi:poi-ooxml:jar:3.6:compile [INFO] +- org.apache.poi:poi:jar:3.6:compile [INFO] | +- commons-logging:commons-logging:jar:1.1:runtime [INFO] | | +- logkit:logkit:jar:1.0.1:runtime [INFO] | | +- avalon-framework:avalon-framework:jar:4.1.3:runtime [INFO] | | \- javax.servlet:servlet-api:jar:2.3:runtime [INFO] | \- log4j:log4j:jar:1.2.13:runtime [INFO] +- org.apache.poi:poi-ooxml-schemas:jar:3.7-beta4:compile [INFO] | +- org.apache.xmlbeans:xmlbeans:jar:2.3.0:compile [INFO] | | \- stax:stax-api:jar:1.0.1:compile [INFO] | \- org.apache.geronimo.specs:geronimo-stax-api_1.0_spec:jar:1.0:compile [INFO] \- dom4j:dom4j:jar:1.6.1:compile [INFO] \- xml-apis:xml-apis:jar:1.0.b2:compile [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESSFUL [INFO] ------------------------------------------------------------------------ [INFO] Total time: 9 seconds [INFO] Finished at: Mon Feb 21 11:05:52 MSK 2011 [INFO] Final Memory: 10M/24M [INFO] ------------------------------------------------------------------------ Yegor
The commons logging thing is a "this is what you need to begin using" vs "this is what you need to do everything" thing. IIRC, it has a few methods in there to work well with some servlet stuff, but to use that you end up pulling in avalon... One fix is to add this to the commons logging dependency line: <exclusions> <exclusion> <groupId>avalon-framework</groupId> <artifactId>avalon-framework</artifactId> </exclusion> <exclusion> <groupId>javax.servlet</groupId> <artifactId>servlet-api</artifactId> </exclusion> </exclusions> The other is to move to commons-logging 1.1.1, which apparently correctly marked those ones as being optional rather than required (see https://issues.apache.org/jira/browse/LOGGING-113). I'd say probably this is the right fix, is someone able to verify that?
I went ahead and removed geronimo's stax api from poi-ooxml-schemas. The dependency tree is now as follows: +- org.apache.poi:poi-ooxml-schemas:jar:3.8-beta1:compile | \- org.apache.xmlbeans:xmlbeans:jar:2.3.0:compile | \- stax:stax-api:jar:1.0.1:compile The fix applied in r1073683 Yegor