Npm packages with dependencies that have version ranges produce really bad pom.xml metadata

[dsyer]

You simply can't trust that any library with a pom.xml that contains a dependency with a version range is ever going to work in practice. It is hugely inefficient (Maven has to look at all the candidates and download them), so it can take all day to simply list the dependencies. There are also often errors in the NPM metadata, or inconsistencies with the webjars repositories that actually just break the build.

Here's a sample that fails with mvn dependency:list:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <packaging>jar</packaging>
    <groupId>com.example</groupId>
    <artifactId>jquery-issue</artifactId>
    <version>0.0.1-SNAPSHOT</version>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    </properties>

    <dependencies>
        
        <dependency>
            <groupId>org.webjars.npm</groupId>
            <artifactId>jquery-ui</artifactId>
            <version>1.13.0</version>
        </dependency>
        
        
    </dependencies>

</project>

Result:

$ mvn dependency:list
...
[INFO] Building jquery-issue 0.0.1-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[WARNING] The POM for org.webjars.npm:hosted-git-info:jar:2.6.0 is missing, no dependency information available
[WARNING] The POM for org.webjars.npm:semver:jar:2- >=2.2.1,[3,4),[4,5),[5,6) is missing, no dependency information available
[WARNING] The POM for org.webjars.npm:gauge:jar:2.7.4 is missing, no dependency information available
[WARNING] The POM for org.webjars.npm:cyclist:jar:0.2.2 is missing, no dependency information available
[WARNING] The POM for org.webjars.npm:mime:jar:1.2.2 is missing, no dependency information available
Downloading from spring-snapshots: https://repo.spring.io/snapshot/org/webjars/npm/lodash._releaseobject/maven-metadata.xml
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  2.368 s
[INFO] Finished at: 2021-11-19T10:05:17Z
[INFO] ------------------------------------------------------------------------
[WARNING] The requested profile "ide" could not be activated because it does not exist.
[ERROR] Failed to execute goal on project jquery-issue: Could not resolve dependencies for project com.example:jquery-issue:jar:0.0.1-SNAPSHOT: Failed to collect dependencies at org.webjars.npm:jquery-ui:jar:1.13.0 -> org.webjars.npm:jquery:jar:1.8.3 -> org.webjars.npm:navigator:jar:[1.0.1,1.1): No versions available for org.webjars.npm:navigator:jar:[1.0.1,1.1) within specified range -> [Help 1]

The problem stems from the fact that jquery-ui has this in its package.json:

	"dependencies": {
		"jquery": ">=1.8.0 <4.0.0"
	},

which translates into this in the webjars pom.xml:

    <dependencies>
        
        <dependency>
            <groupId>org.webjars.npm</groupId>
            <artifactId>jquery</artifactId>
            <version>[1.8.0,4.0.0)</version>
        </dependency>
        
        
    </dependencies>

That version range is evil. Version ranges make sense (marginally) for apps. they never work out well for libraries. It would be better to simply depend on the latest version available.

[jamesward]

Yeah, Maven version ranges are a bad idea. I think the alternative (not replicating that information) is worse. But I need to noodle that more. In the meantime, the issue you ran into was because neither org.webjars.npm navigator 1.0.0 or org.webjars.npm navigator 1.0.1 exists. When an NPM WebJar is deployed the transitive dependencies are also deployed. But sometimes deployment of those fails. In the case of org.webjars.npm navigator 1.0.x there is an error deploying it:

The license could not be determined for NPM - navigator 1.0.1

I'll investigate that and see if we can get that dependency deployed.

FWIW, Users do occasionally run into these kinds of issues with missing transitives and removing ranges wouldn't fix that.

[jamesward]

Some further info on the issue with navigator:
There is no license info: https://github.com/coolaj86/node-navigator
But it is odd that Maven is picking jquery 1.8.3 in the range [1.8.0,4.0.0). Newer versions of jquery don't have the navigator dependency.
I'm diving into how Maven resolves the range...

[jamesward]

I can't find why Maven is picking the lowest in the range. Seems strange to me. But I was able to deploy org.webjars.npm:navigator:1.0.1 so this particular transitive should be fixed.

I'll continue thinking about not using ranges and instead locking to the latest available in the specified range.

[dsyer]

Maven tries the resolve the 1.8.3 dependencies because it literally has to download all the poms for all the versions in that (really large) range. It takes about 10 minutes just to fail for me, having worked its way up from 1.8.0. It’s not a good thing.

[jamesward]

Side note, Gradle does the right thing (doesn't download the universe) and resolves the transitive dependency to be jquery 3.6.0. I need to look further into Maven's range resolution stuff.