UpgradeParentVersion sometimes adds redundant managed dependencies

[simonzn]

What version of OpenRewrite are you using?

• OpenRewrite 2.11.0
• Maven plugin 5.28.0
• rewrite-maven 8.23.0

How are you running OpenRewrite?

Maven plugin from the command line

What is the smallest, simplest way to reproduce the problem?

I haven't yet managed to reproduce it in a unit test or small project, and I am not allowed to share one of our projects for you to reproduce the issue. I'll try to describe the situation and outcome:

1. We have a parent POM which imports two POMs in its dependencyManagement (spring-cloud-dependencies and solace-spring-integration-leader)
2. Some projects which use that parent import an additional bill-of-matierals in their dependencyManagement (another POM which contains nothing but a dependencyManagement section to define dependency versions)
3. When we update the parent POM in those projects, all used dependencies are copied from the bill-of-materials into the projects' dependencyManagement

This is limited to the dependencies from our bill-of-materials for some reasons. The same does not happen e.g. for the dependencies managed by the spring-cloud-dependencies, which is imported by the parent.

Excerpt of POM before upgrade:

    <parent>
        <groupId>ch.sbb.tms.capaopt</groupId>
        <artifactId>releng-spring-boot-application-parent</artifactId>
        <version>6.1.2</version>
    </parent>
    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>ch.sbb.tms.capaopt</groupId>
                <artifactId>releng-techstack-bom</artifactId>
                <type>pom</type>
                <scope>import</scope>
                <version>7.0.3</version>
            </dependency>
        </dependencies>
    </dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-stream</artifactId>
            <!-- version is managed (indirectly) by parent -->
        </dependency>
        <dependency>
            <groupId>community.solace.spring.boot</groupId>
            <artifactId>spring-boot-starter-solace-client-config</artifactId>
            <!-- version is managed by releng-techstack-bom -->
        </dependency>
    </dependencies>

What did you expect to see?

    <parent>
        <groupId>ch.sbb.tms.capaopt</groupId>
        <artifactId>releng-spring-boot-application-parent</artifactId>
        <version>7.0.0</version>
    </parent>
    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>ch.sbb.tms.capaopt</groupId>
                <artifactId>releng-techstack-bom</artifactId>
                <type>pom</type>
                <scope>import</scope>
                <version>7.0.3</version>
            </dependency>
        </dependencies>
    </dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-stream</artifactId>
            <!-- version is still managed (indirectly) by parent -->
        </dependency>
        <dependency>
            <groupId>community.solace.spring.boot</groupId>
            <artifactId>spring-boot-starter-solace-client-config</artifactId>
            <!-- version is still managed by releng-techstack-bom -->
        </dependency>
    </dependencies>

What did you see instead?

    <parent>
        <groupId>ch.sbb.tms.capaopt</groupId>
        <artifactId>releng-spring-boot-application-parent</artifactId>
        <version>7.0.0</version>
    </parent>
    <dependencyManagement>
        <dependencies>
            <!-- new redundant managed dependency, which is already managed by releng-techstack-bom: -->
            <dependency>
                <groupId>community.solace.spring.boot</groupId>
                <artifactId>spring-boot-starter-solace-client-config</artifactId>
                <version>1.0.0</version>
            </dependency>
            <dependency>
                <groupId>ch.sbb.tms.capaopt</groupId>
                <artifactId>releng-techstack-bom</artifactId>
                <type>pom</type>
                <scope>import</scope>
                <version>7.0.3</version>
            </dependency>
        </dependencies>
    </dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-stream</artifactId>
            <!-- version is still managed (indirectly) by parent -->
        </dependency>
        <dependency>
            <groupId>community.solace.spring.boot</groupId>
            <artifactId>spring-boot-starter-solace-client-config</artifactId>
        </dependency>
    </dependencies>

We manage many dependencies in the releng-techstack-bom, so after the upgrade we have tens of redundant managed dependencies; note that the releng-techstack-bom is not removed from the managed dependencies.

Are you interested in contributing a fix to OpenRewrite?

Unfortunately, I have no capacity to look into that myself right now. I'll try to build a small reproducer, but so far I have not managed to reproduce the issue with publically available POMs.

Workaround

This issue is not reproducible with

• OpenRewrite 2.8.1
• Maven plugin 5.26.0
• rewrite-maven 8.21.0

I think it was introduced with a3e2d86

[timtebeek]

Thanks for the report! Could see indeed how this is a complicated one to replicate given all that's involved. I'll tag @sambsnyd based on his earlier work in a3e2d86 that you referenced, to see if he has any ideas given the above.

Do let us know if you manage to create that reproducer, as there's a lot of parts we'd hope to condense down into something we can test and fix.