Bug 65670 - Dependency convergence issue with org.osgi.core (v4.3.1 and v6.0.0) in POI 5.1.0
Summary: Dependency convergence issue with org.osgi.core (v4.3.1 and v6.0.0) in POI 5.1.0
Status: NEW
Alias: None
Product: POI
Classification: Unclassified
Component: POI Overall (show other bugs)
Version: unspecified
Hardware: Macintosh other
: P2 minor (vote)
Target Milestone: ---
Assignee: POI Developers List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-05 00:10 UTC by Daniel Subelman
Modified: 2021-11-21 17:30 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Subelman 2021-11-05 00:10:47 UTC
Dependency convergence issue with org.osgi.core (v4.3.1 and v6.0.0).

On one hand, poi and poi-ooxml-full have log4j as a dependency, which uses org.osgi.core v4.3.1.
On the other hand, poi-ooxml has commons-compress as a dependency, which uses org.osgi.core v6.0.0.

Here is maven-enforcer-plugin report:

+-org.apache.poi:poi:jar:5.1.0:compile
  +-org.apache.logging.log4j:log4j-api:jar:2.14.1:compile
    +-org.osgi:org.osgi.core:jar:4.3.1:runtime
and
+-org.apache.poi:poi-ooxml:jar:5.1.0:compile
  +-org.apache.commons:commons-compress:jar:1.21:compile
    +-org.osgi:org.osgi.core:jar:6.0.0:provided
and
+-org.apache.poi:poi-ooxml-full:jar:5.1.0:compile
  +-org.apache.logging.log4j:log4j-core:jar:2.14.1:runtime
    +-org.osgi:org.osgi.core:jar:4.3.1:runtime

As a workaround to get rid of the "maven-enforcer" violation I modify the pom to:

<dependency>
    <groupId>org.apache.poi</groupId>
    <artifactId>poi</artifactId>
    <version>5.1.0</version>
</dependency>

<dependency>
    <groupId>org.apache.poi</groupId>
    <artifactId>poi-ooxml</artifactId>
    <version>5.1.0</version>
    <exclusions>
        <exclusion>
            <groupId>org.osgi</groupId>
            <artifactId>org.osgi.core</artifactId>
        </exclusion>
    </exclusions>
</dependency>

I don't know what issues this exclusion can produce.
Comment 1 PJ Fanning 2021-11-05 00:20:14 UTC
Are you sure this causes any real issues? Generally, you just use the higher version of osgi.core. If you do that, does that stop log4j from working?

The real issue is that log4j and commons-compress have outdated dependencies on osgi.core - there is now an 8.0.0 release. 

You should really report that to those teams. Not much the POI team can do about it.
Comment 2 Daniel Subelman 2021-11-05 00:49:37 UTC
I'm not sure if this causes a real issue. I submit this maven-enforcer-plugin warning if the POI development team wants to directly tackle this convergence 'issue'.

I agree that both osgi.core versions are outdated and I'll report them to the respective teams. However, there is a chance that even if log4j and commons-compress update their versions they won't match when osgi.core releases a new version in the future (they probably won't update to the latest version at the same time given that they don't update versions regularly).