Provide streamlined dependency management to avoid conflicting dependencies #26505
Description
Is your feature request related to a problem? Please describe
Hi there,
I'm using the google-api-services-youtube library in one of my projects and noticed (by means of the maven-enforcer-plugin- specifically the dependency convergence rule) that there are a number of conflicting dependencies.
Specifically google-api-services-youtube as of version v3-rev20250224-2.0.0 effectively brings 3 ⚠ different versions of com.google.http-client:google-http-client:
com.google.http-client:google-http-client:jar:1.43.3com.google.http-client:google-http-client:jar:1.45.0com.google.http-client:google-http-client:jar:1.45.2
This is the full output of the enforcer plugin:
[ERROR] Rule 0: org.apache.maven.enforcer.rules.dependency.DependencyConvergence failed with message:
[ERROR] Failed while enforcing releasability.
[ERROR]
[ERROR] Dependency convergence error for com.google.http-client:google-http-client-gson:jar:1.43.3 paths to dependency are:
[ERROR] +-com.github.jjank.example:yt-dependency-conflicts:jar:1.0-SNAPSHOT
[ERROR] +-com.google.apis:google-api-services-youtube:jar:v3-rev20250224-2.0.0:compile
[ERROR] +-com.google.api-client:google-api-client:jar:2.7.2:compile
[ERROR] +-com.google.oauth-client:google-oauth-client:jar:1.36.0:compile
[ERROR] +-com.google.http-client:google-http-client-gson:jar:1.43.3:compile
[ERROR] and
[ERROR] +-com.github.jjank.example:yt-dependency-conflicts:jar:1.0-SNAPSHOT
[ERROR] +-com.google.apis:google-api-services-youtube:jar:v3-rev20250224-2.0.0:compile
[ERROR] +-com.google.api-client:google-api-client:jar:2.7.2:compile
[ERROR] +-com.google.auth:google-auth-library-oauth2-http:jar:1.30.0:compile
[ERROR] +-com.google.http-client:google-http-client-gson:jar:1.45.0:compile
[ERROR] and
[ERROR] +-com.github.jjank.example:yt-dependency-conflicts:jar:1.0-SNAPSHOT
[ERROR] +-com.google.apis:google-api-services-youtube:jar:v3-rev20250224-2.0.0:compile
[ERROR] +-com.google.api-client:google-api-client:jar:2.7.2:compile
[ERROR] +-com.google.http-client:google-http-client-gson:jar:1.45.2:compile
[ERROR]
[ERROR]
[ERROR] Dependency convergence error for commons-codec:commons-codec:jar:1.17.1 paths to dependency are:
[ERROR] +-com.github.jjank.example:yt-dependency-conflicts:jar:1.0-SNAPSHOT
[ERROR] +-com.google.apis:google-api-services-youtube:jar:v3-rev20250224-2.0.0:compile
[ERROR] +-com.google.api-client:google-api-client:jar:2.7.2:compile
[ERROR] +-commons-codec:commons-codec:jar:1.17.1:compile
[ERROR] and
[ERROR] +-com.github.jjank.example:yt-dependency-conflicts:jar:1.0-SNAPSHOT
[ERROR] +-com.google.apis:google-api-services-youtube:jar:v3-rev20250224-2.0.0:compile
[ERROR] +-com.google.api-client:google-api-client:jar:2.7.2:compile
[ERROR] +-org.apache.httpcomponents:httpclient:jar:4.5.14:compile
[ERROR] +-commons-codec:commons-codec:jar:1.11:compile
[ERROR]
[ERROR]
[ERROR] Dependency convergence error for com.google.guava:guava:jar:31.1-android paths to dependency are:
[ERROR] +-com.github.jjank.example:yt-dependency-conflicts:jar:1.0-SNAPSHOT
[ERROR] +-com.google.apis:google-api-services-youtube:jar:v3-rev20250224-2.0.0:compile
[ERROR] +-com.google.api-client:google-api-client:jar:2.7.2:compile
[ERROR] +-com.google.oauth-client:google-oauth-client:jar:1.36.0:compile
[ERROR] +-com.google.guava:guava:jar:31.1-android:compile
[ERROR] and
[ERROR] +-com.github.jjank.example:yt-dependency-conflicts:jar:1.0-SNAPSHOT
[ERROR] +-com.google.apis:google-api-services-youtube:jar:v3-rev20250224-2.0.0:compile
[ERROR] +-com.google.api-client:google-api-client:jar:2.7.2:compile
[ERROR] +-com.google.auth:google-auth-library-oauth2-http:jar:1.30.0:compile
[ERROR] +-com.google.guava:guava:jar:33.3.1-android:compile
[ERROR] and
[ERROR] +-com.github.jjank.example:yt-dependency-conflicts:jar:1.0-SNAPSHOT
[ERROR] +-com.google.apis:google-api-services-youtube:jar:v3-rev20250224-2.0.0:compile
[ERROR] +-com.google.api-client:google-api-client:jar:2.7.2:compile
[ERROR] +-com.google.guava:guava:jar:33.1.0-jre:compile
[ERROR]
[ERROR]
[ERROR] Dependency convergence error for com.google.http-client:google-http-client:jar:1.43.3 paths to dependency are:
[ERROR] +-com.github.jjank.example:yt-dependency-conflicts:jar:1.0-SNAPSHOT
[ERROR] +-com.google.apis:google-api-services-youtube:jar:v3-rev20250224-2.0.0:compile
[ERROR] +-com.google.api-client:google-api-client:jar:2.7.2:compile
[ERROR] +-com.google.oauth-client:google-oauth-client:jar:1.36.0:compile
[ERROR] +-com.google.http-client:google-http-client:jar:1.43.3:compile
[ERROR] and
[ERROR] +-com.github.jjank.example:yt-dependency-conflicts:jar:1.0-SNAPSHOT
[ERROR] +-com.google.apis:google-api-services-youtube:jar:v3-rev20250224-2.0.0:compile
[ERROR] +-com.google.api-client:google-api-client:jar:2.7.2:compile
[ERROR] +-com.google.auth:google-auth-library-oauth2-http:jar:1.30.0:compile
[ERROR] +-com.google.http-client:google-http-client:jar:1.45.0:compile
[ERROR] and
[ERROR] +-com.github.jjank.example:yt-dependency-conflicts:jar:1.0-SNAPSHOT
[ERROR] +-com.google.apis:google-api-services-youtube:jar:v3-rev20250224-2.0.0:compile
[ERROR] +-com.google.api-client:google-api-client:jar:2.7.2:compile
[ERROR] +-com.google.http-client:google-http-client:jar:1.45.2:compile
Aside from the rule violation - dependency conflicts should be avoided wherever possible.
Describe the solution you'd like
Streamlined dependency-management. My personal perference would be a bom maven dependency that manages all direct and transitive dependencies of google-api-java-client-services
Describe alternatives you've considered
Using various (and complicated) exclusions in maven. While this is doable, it seems brittle and hard to maintain. As a user of google-api-services-youtube it's hard to know which versions work well together.
Additional context
I've created a Github-project that reproduces the problem: https://github.com/jjank/yt-api-dependency-conflicts