As of version 6.0.0, the
org.openmicroscopy:ome-common artifact depends on
io.minio:minio:5.0.2, which depends on (among other things)
com.google.code.findbugs:annotations:3.0.1. Unfortunately, these two artifacts shadow some of the same classes from JSR-305 in the
javax.annotations package. This causes the enforcer to fail when building projects that depend on ome-common 6.0.0:
Relevant portion of the build log
[WARNING] Rule 3: org.apache.maven.plugins.enforcer.BanDuplicateClasses failed with message: No Duplicate Classes Allowed! - For duplicate transitive dependencies, add dependency exclusions. - For duplications between direct dependencies, resolve or add ignored classes to this rule's configuration. Found in: net.jcip:jcip-annotations:jar:1.0:runtime com.google.code.findbugs:annotations:jar:3.0.1:runtime Duplicate classes: net/jcip/annotations/ThreadSafe.class net/jcip/annotations/GuardedBy.class net/jcip/annotations/NotThreadSafe.class net/jcip/annotations/Immutable.class Found in: com.google.code.findbugs:jsr305:jar:3.0.1:runtime com.google.code.findbugs:annotations:jar:3.0.1:runtime Duplicate classes: javax/annotation/RegEx.class javax/annotation/concurrent/Immutable.class javax/annotation/meta/TypeQualifierDefault.class javax/annotation/meta/TypeQualifier.class ...
I was looking into the best way to deal with it:
I checked whether the latest
minio, version 6.0.2, has addressed the issue, but it has not: same overlapping dependencies.
There appears to be an issue in the findbugs GitHub repository documenting this issue—findbugsproject/findbugs#94—but it seems that FindBugs is no longer being maintained. Instead, there is SpotBugs now. So perhaps one action item here is to file an issue in the minio issue tracker?
In the meantime, to avoid the conflicts, I think the best solution is for ome-common’s next release to exclude
miniodependency declaration. That artifact is a strict subset of
com.google.code.findbugs:jsr305, so I think it will not cause any problems, although of course should be tested to ensure everything still works.
To fix the issue for pom-scijava with ome-common 6.0.0, I have added that exclusion beneath the ome-common dependency management block. The enforcer then passes on the latest Fiji master branch with the latest pom-scijava including that exclusion. I will release pom-scijava 26.0.0 including that workaround. Once a new ome-common exists with non-overlapping dependencies and has propagated to pom-scijava, the exclusion can be removed again.