Description
As a user, I would expect maven.install() to not include any artifacts not specified by me. This doesn't seem to be the case, as there are several artifacts that will always be included under the default maven repository (@maven). This can result in artifact version conflicts which are surprising and difficult to debug, since users may not be able to reverse query the usage of these artifacts.
For example, let's create an empty Bazel project with the following MODULE.bazel:
module(name = "test")
bazel_dep(name = "rules_jvm_external", version = "6.1")
maven = use_extension("@rules_jvm_external//:extensions.bzl", "maven")
maven.install()
use_repo(maven, "maven")
If we run
> bazel run @maven//:pin
we will get a maven_install.json with a few dozen artifacts (rules_jvm_external~~maven~maven_install.json). Instead, I would expect an almost empty file.
Looking inside the file, we see that it includes com.google.guava:guava:31.1-jre, amongst others. If the user declares their own Guava version
maven.install(
artifacts = [
"com.google.guava:guava:33.2.1-jre",
],
)
they will get a warning
DEBUG: /home/joao/.cache/bazel/_bazel_joao/f8a6fd52db31bf3b20511531b25631c2/external/rules_jvm_external~/private/extensions/maven.bzl:154:14: The maven repository 'maven' is used in two different bazel modules, originally in 'test' and now in 'protobuf'
DEBUG: /home/joao/.cache/bazel/_bazel_joao/f8a6fd52db31bf3b20511531b25631c2/external/rules_jvm_external~/private/extensions/maven.bzl:154:14: The maven repository 'maven' is used in two different bazel modules, originally in 'test' and now in 'protobuf'
DEBUG: /home/joao/.cache/bazel/_bazel_joao/f8a6fd52db31bf3b20511531b25631c2/external/rules_jvm_external~/coursier.bzl:743:18: Found duplicate artifact versions
com.google.guava:guava has multiple versions 33.2.1-jre, 31.1-jre
Please remove duplicate artifacts from the artifact list so you do not get unexpected artifact versions
If the user uses duplicate_version_warning = "error", they will be unable to resolve the error unless they use a different name for their maven repository.
(When using a non-default name for the maven repository, e.g. maven.install(name = "java", ...), those artifacts are not included.)
Where are these artifacts coming from? They seem to be needed and included by rules_jvm_external itself. Can we remove them or move them to another name so they don't conflict with the user specified artifacts by default? While it's possible to work around this behaviour by specifying a custom name for the maven repository, I think that the default behaviour should avoid surprising users and not include extra artifacts.
Activity