Maven used but undeclared dependencies

Question

I discovered interesting features provided by the maven dependency plugin. I've analyzed one of my projects and got the following output:

[WARNING] Used undeclared dependencies found:
[WARNING]    org.apache.geronimo.specs:geronimo-javamail_1.4_spec:jar:1.6:compil
e
[WARNING]    javax.xml.soap:saaj-api:jar:1.3:compile
[WARNING]    org.apache.geronimo.specs:geronimo-annotation_1.0_spec:jar:1.1.1:co
mpile
[WARNING]    org.apache.geronimo.specs:geronimo-jaxws_2.1_spec:jar:1.0:compile
[WARNING]    org.hibernate.javax.persistence:hibernate-jpa-2.0-api:jar:1.0.1.Fin
al:compile
[WARNING]    org.apache.geronimo.specs:geronimo-ws-metadata_2.0_spec:jar:1.1.2:c
ompile
[WARNING] Unused declared dependencies found:
[WARNING]    junit:junit:jar:4.5:test
[WARNING]    log4j:apache-log4j-extras:jar:1.1:compile
[WARNING]    org.slf4j:slf4j-log4j12:jar:1.6.4:compile
[WARNING]    org.slf4j:slf4j-api:jar:1.6.4:compile
[WARNING]    org.hibernate:hibernate-c3p0:jar:3.6.8.Final:runtime

The "unused declared" section is clear for me. Concerning the "used undeclared" section, it shows me the dependencies that are used directly by my project but included in the classpath transitively by Maven.

Let's take the first one as example "org.apache.geronimo.specs:geronimo-javamail_1.4_spec:jar:1.6:compile", this dependency is included since it is a dependency of cxf-rt-core-2.2.6. But, the code present in the JAR is also used directly by the project. I'm wondering now that when this project has been written, the developer may had the intention to use another Java Mail JAR.

If I want to use CXF 2.2.6 in one of my projects, I automatically get the Java Mail spec provided by Geronimo as a transitive dependency. What if I want to use another Java Mail API? By looking in search.maven.org, I can see that many JAR provide the Java Mail API.

Thanks

Answer 1

If you want to exclude a particular transitive dependency you can use the exclusions for dependencies.

<dependency>
  <groupId>...</groupId>
  <artifactId>..</artifactId>
  <version>..</version>
  <exclusions>
    <exclusion>
      <groupId>sample.ProjectB</groupId>
      <artifactId>Project-B</artifactId>
    </exclusion>
    ..
  </exclusions> 
</dependency>

This is only possible for the first level of transitive dependencies.

Answer 2

It's likely that the programmer neglected to check the version of the Java Mail API jar at all - this is precisely the reason for the 'Used undeclared dependencies' warning. You should fix by adding the dependency in the main POM as a direct dependency. Use the version that currently works (because it's included transitively) and don't worry about the original programmer's intention - they probably didn't think about it at all.

Then, if the transitive version changes in a breaking way, your project should be OK because it's listed directly.