[GRADLE-1512] pom generation does not retain the correct order of dependencies Created: 04/May/11  Updated: 10/Feb/17  Resolved: 10/Feb/17

Status: Resolved
Project: Gradle
Affects Version/s: 1.0-milestone-3
Fix Version/s: None

Type: Bug
Reporter: Russ Egan Assignee: Unassigned
Resolution: Won't Fix Votes: 1


I'm generating a pom.xml from gradle, using project.pom(). My gradle dependencies are ordered like this:

springVersion = "3.0.5.RELEASE"

springSecurityVersion = "2.0.5.RELEASE"

The resulting pom's <dependencies> are ordered differently. The spring security dependencies are mixed in with the spring framework dependencies. This results in an incorrect compile classpatch. One of the security jars gets re-ordered ahead of the framework-tx jar, both depend on spring-aop, but the security jar depends on an older version. The newer version is the needed dependency.

The problem, I think, lies in DefaultPomDependenciesConverter. It stores all the dependencies as keys in maps, then iterates over the keys. The order of keys in maps in undefined of course, where as the order of the dependency declarations is significant.

It is significant, right? I see in Configuration dependencies are always returned as Sets, and the configurations are passed to DefaultPomDependenciesConverter as a Set...are you anywhere retaining the order of dependencies, or is it expected to be nondeterministic?

Comment by Russ Egan [ 05/May/11 ]

I think the severity can be reduced. I can use dependencyManagement in the pom.xml to compensate for the non-deterministic dependency order. Maven's transitive dependency conflict resolution strategy is pretty screwy anyway ("closest" to the root of the dependency tree, falling back to declaration order when conflict is at the same depth). Gradle's "take the higher version" is much clearer.

Comment by Andrew Spina [ 30/Dec/11 ]

I've encountered a similar problem in 1.0-milestone-6. I can file a separate ticket if that's preferred. My project uses an external jar called "J-sky". We add functionality by building our own jar that masks certain classes. My a simplified version of my build looks like this:

dependencies {
  compile project(':JSky')
  compile files("../Libraries/jsky-science.jar")

The resulting (simplified) classpath looks like this:

  -classpath ./Libraries/jsky.jar:./JSky/build/libs/JSky.jar

I have not checked whether or not the order is deterministic or not. I would expect the order that I specify in 'dependencies' to propagate to my classpath. Can I do this?

I also posted this question here (http://forums.gradle.org/gradle/topics/how_do_i_control_the_order_of_compiletime_classpaths) sorry if I picked the wrong place.

Comment by Peter Niederwieser [ 11/Jan/12 ]

I don't see jsky-science.jar anywhere in the class path you give.

Comment by Kai-Chung Yan (殷啟聰) [ 14/Sep/16 ]

This issue can also be titled as "POM Generation Randomly Orders the Dpendencies".

This randomness leads to unreproducibility, which is a severe bug for me.

I am maintaining some Debian packages that are built by Gradle, and Debian packages ususally includes POMs as metadata. Since Gradle projects does not use POMs, I generate them by using

pom {
  project {}

However the order of the dependencies in the POMs is different in each build. See the diffoscope report (the link may get out-of-date).

Currently I sort the dependencies after the MavenPom object is configured, but I hope that it can be solved upstream. The ordering logic seems to be done in the Maven project's ModelBase. If Gradle won't solve this, at least sort the dependencies during the writeTo() method.

I hope more people notice this issue.

Comment by Benjamin Muschko [ 15/Nov/16 ]

As announced on the Gradle blog we are planning to completely migrate issues from JIRA to GitHub.

We intend to prioritize issues that are actionable and impactful while working more closely with the community. Many of our JIRA issues are inactionable or irrelevant. We would like to request your help to ensure we can appropriately prioritize JIRA issues you’ve contributed to.

Please confirm that you still advocate for your JIRA issue before December 10th, 2016 by:

  • Checking that your issues contain requisite context, impact, behaviors, and examples as described in our published guidelines.
  • Leave a comment on the JIRA issue or open a new GitHub issue confirming that the above is complete.

We look forward to collaborating with you more closely on GitHub. Thank you for your contribution to Gradle!

Comment by Benjamin Muschko [ 10/Feb/17 ]

Thanks again for reporting this issue. We haven't heard back from you after our inquiry from November 15th. We are closing this issue now. Please create an issue on GitHub if you still feel passionate about getting it resolved.

Generated at Wed Jun 30 11:57:23 CDT 2021 using Jira 8.4.2#804003-sha1:d21414fc212e3af190e92c2d2ac41299b89402cf.