Lagom bom-pom includes transitive dependencies which makes it very hard to change them. My understanding of bom-pom is that it should only include the modules of the library, so it is bound to the same version.

Transitive dependencies then should be managed by each module separately, if it needs override or not, but it should not be present in the bom-pom.

The problem with bom-pom is that it effectively replaces the bom-pom in my pom.xml with all of the dependencies in the bom-pom. This leads to

1. The included dependency acts as if my module imported it directly (hard to debug)
2. I can't override transitive dependencies unless stating them explicitely.

See the example below.

Lagom Version 1.6.7

API Java

Docker openjdk:17

JDK docker - openjdk:17

Actual behaviour

I discovered the behaviour when upgrading mockito in my project. Excerpt from my pom.xml:

            <dependency>
                <groupId>com.lightbend.lagom</groupId>
                <artifactId>lagom-maven-dependencies</artifactId>
                <version>${lagom.version}</version>
                <scope>import</scope>
                <type>pom</type>
            </dependency>
            
            ...
     
            <dependency>
                <groupId>org.mockito</groupId>
                <artifactId>mockito-bom</artifactId>
                <version>4.5.1</version>
                <scope>import</scope>
                <type>pom</type>
            </dependency>

Now in one of my my modules, I import mockito-core. The expectation is that I have mockito-core on 4.5.1 and its correct dependencies dependencies. Running mvn dependency:tree results in following info:

[INFO] \- org.mockito:mockito-core:jar:3.2.4:test
[INFO]    +- net.bytebuddy:byte-buddy:jar:1.10.5:test
[INFO]    +- net.bytebuddy:byte-buddy-agent:jar:1.10.5:test
[INFO]    \- org.objenesis:objenesis:jar:2.6:test

leading, to my surprise, with completely random version of mockito-core and (correct deps to version 3.2.4) its dependencies. Because of the bom-pom nature, it was harder to find where this 3.2.4 version actually comes from and it was lagom bom-pom.

Now the best part. If I explicitely import mockito-core 4.5.1, I end up with correct version of mockito-core however wrong version of its transitive dependencies (and when debugging these, it seems like they came of out nowhere).

[INFO] \- org.mockito:mockito-core:jar:4.5.1:test
[INFO]    +- net.bytebuddy:byte-buddy:jar:1.10.5:test
[INFO]    +- net.bytebuddy:byte-buddy-agent:jar:1.10.5:test
[INFO]    \- org.objenesis:objenesis:jar:2.6:test

This is, again, because lagom bom-pom explicitely states these (byte-buddy, byte-agent, objenesis) in the bom-pom.

In the end I can achieve the change by swapping the order in the pom.xml and by explicitely stating all mockito-core dependencies to the correct version.

Expected behaviour

Changing mockito-core version (or mockito bom-pom) should not cause such mayhem in the dependencies. It should change the mockito-core version to the correct version and then include the correct transitive dependecies on its own.

Because of the content of lagom bom-pom I believe updating mockito is not the only library which can cause this.

Regards
K.