SpringBoot Maven 4 warnings from spring-boot-dependencies

This issue was introduced in SpringBoot 3.2.0 and later

Reproducer: https://github.com/apache/shiro/tree/main/samples/spring-boot-3-web

Warnings

mvnd clean package
[INFO] Processing build on daemon 539d9af4
[INFO] Scanning for projects...
[WARNING] 
[WARNING] Some problems were encountered while building the effective model for 'org.apache.shiro.samples:samples-spring-boot-3-web:war:2.0.0-SNAPSHOT'
[WARNING] Ignored POM import for: org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.10.2@compile as already imported org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.11.0@compile.  Add a the conflicting managed dependency directly to the dependencyManagement section of the POM. @ org.springframework.boot:spring-boot-dependencies:3.3.3, /Users/lprimak/.m2/repository/org/springframework/boot/spring-boot-dependencies/3.3.3/spring-boot-dependencies-3.3.3.pom
[WARNING] Ignored POM import for: org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.7.0@compile as already imported org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.11.0@compile.  Add a the conflicting managed dependency directly to the dependencyManagement section of the POM. @ org.springframework.boot:spring-boot-dependencies:3.3.3, /Users/lprimak/.m2/repository/org/springframework/boot/spring-boot-dependencies/3.3.3/spring-boot-dependencies-3.3.3.pom

Solution: Add explicit artifact to spring-boot-dependencies.pom (dependencyManagement section):

      <dependency>
        <groupId>org.apache.maven.plugin-tools</groupId>
        <artifactId>maven-plugin-annotations</artifactId>
        <version>3.12.0</version>
      </dependency>

Comment From: wilkinsona

We don't yet support Maven 4 so I would not consider this to be a regression. It also doesn't appear to have been introduced in Spring Boot 3.3.3. Using a minimal Maven project generated on https://start.spring.io, I see the same behavior with 3.3.2, 3.3.1, and 3.3.0 where each logs something similar to the following:

[WARNING] Ignored POM import for: org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.10.2@compile as already imported org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.11.0@compile.  Add a the conflicting managed dependency directly to the dependencyManagement section of the POM.
[WARNING] Ignored POM import for: org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.7.0@compile as already imported org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.11.0@compile.  Add a the conflicting managed dependency directly to the dependencyManagement section of the POM.

To be sure that we're looking at the same problem as you have seen, can you please provide a minimal example that logs the warnings with 3.3.3 but does not do so with earlier versions? To keep things as simple as possible and to eliminate other external causes, it should use spring-boot-starter-parent directly.

Comment From: lprimak

I was mistaken with the version where this regression was introduced. The first version with warnings was 3.2.0 Any versions prior to that worked without warnings. Yes, we are talking about exact same problem, and besides the last working version #, all other info is correct.

Comment From: wilkinsona

This isn't, specifically, a Spring Boot problem. A very similar warning can be produced using Maven 4.0.0-beta-3 with this pom:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.example</groupId>
    <artifactId>gh-42015</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>gh-42015</name>
    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.apache.pulsar</groupId>
                <artifactId>pulsar-bom</artifactId>
                <version>3.3.1</version>
                <scope>import</scope>
                <type>pom</type>
            </dependency>
            <dependency>
                <groupId>org.apache.activemq</groupId>
                <artifactId>artemis-bom</artifactId>
                <version>2.36.0</version>
                <scope>import</scope>
                <type>pom</type>
            </dependency>
        </dependencies>
    </dependencyManagement>
</project>

[WARNING] Some problems were encountered while building the effective model for 'com.example:gh-42015:jar:0.0.1-SNAPSHOT'
[WARNING] Ignored POM import for: org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.13.1@compile as already imported org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.7.0@compile.  Add a the conflicting managed dependency directly to the dependencyManagement section of the POM.

The warnings are caused by the bom's ancestors. pulsar-bom inherits from org.apache:apache:29 and artemis-bom from org.apache:apache:33. These two different versions of the org.apache:apache pom manage two different versions of org.apache.maven.plugin-tools:maven-plugin-annotations which Maven 4 warns about.

Spring Boot doesn't care about the version of maven-plugin-annotations that's used so I don't think we should follow the suggestion and start managing the version in spring-boot-dependencies. I also doubt that Pulsar and Artemis care about the version of maven-plugin-annotations so it's unfortunate that the management of its version is leaking into their boms (and the boms of various other Apache projects that inherit from org.apache:apache).

To stop spring-boot-dependencies from triggering the warning with Maven 4, we'd have to stop using various Apache boms and manually declare equivalent dependency management instead. While technically possible, I think it would be better for the problem to be fixed at source so that everyone can benefit and not just consumers of spring-boot-dependencies. That'll require a coordinated effort across many projects. The first step would be to explore the possibility of changing https://github.com/apache/maven-apache-parent to remove the unwanted management of maven-plugin-annotations. If that change is accepted, the many projects that inherit from org.apache:apache would then have to upgrade to a new version.

@lprimak To get the ball rolling, please open an issue against the Maven Apache Parent project and comment here with a link to it so that we can subscribe to it and follow the discussion. If things don't work out on the Apache side by the time that we want to officially support Maven 4, we can consider alternative options but I'm going to close this one for now in the hope that it can be resolved at source without us having to deploy a workaround.

Comment From: lprimak

Thank you

Comment From: wilkinsona

I've opened https://github.com/apache/maven-apache-parent/issues/265.

Comment From: cstamas

Just FYI, Maveniverse Toolbox to track BOM contents: https://gist.github.com/cstamas/0ac04cad0b1b30d1be710e826ef4712f