Production Dependency on maven-bundle-plugin

[juergen3000]

Declaring the Dependency to the Maven Module maven-bundle-plugin in the Dependencies-Section like this

<dependencies>
    ...
    <dependency>
            <groupId>org.apache.felix</groupId>
            <artifactId>maven-bundle-plugin</artifactId>
            <version>5.1.5</version>
            <type>maven-plugin</type>
    </dependency>
    ....
</dependencies>

leads to the following Dependency Tree in compile-Scope, which means, you explicitly have to declare an exclusion if you don't want to ship Maven Modules with Dependencies like junit-4 with your Production Artifact.

compile-Scope Dependency Tree:

\- de.ruedigermoeller:fst:jar:3.0.4-jdk17:compile
   +- com.fasterxml.jackson.core:jackson-core:jar:2.13.5:compile
   +- org.apache.felix:maven-bundle-plugin:maven-plugin:5.1.5:compile
   |  +- org.osgi:org.osgi.core:jar:6.0.0:compile
   |  +- biz.aQute.bnd:biz.aQute.bndlib:jar:6.2.0:compile
   |  |  +- org.osgi:org.osgi.dto:jar:1.0.0:compile
   |  |  +- org.osgi:org.osgi.resource:jar:1.0.0:compile
   |  |  +- org.osgi:org.osgi.framework:jar:1.8.0:compile
   |  |  +- org.osgi:org.osgi.util.tracker:jar:1.5.4:compile
   |  |  |  \- org.osgi:osgi.annotation:jar:8.0.1:compile
   |  |  +- org.osgi:org.osgi.service.log:jar:1.3.0:compile
   |  |  +- org.osgi:org.osgi.service.repository:jar:1.1.0:compile
   |  |  +- org.osgi:org.osgi.util.function:jar:1.2.0:compile
   |  |  +- org.osgi:org.osgi.util.promise:jar:1.2.0:compile
   |  |  \- biz.aQute.bnd:biz.aQute.bnd.util:jar:6.2.0:compile
   |  +- org.apache.felix:org.apache.felix.bundlerepository:jar:1.6.6:compile
   |  |  \- org.easymock:easymock:jar:2.4:compile
   |  +- org.apache.felix:org.apache.felix.utils:jar:1.6.0:compile
   |  |  \- org.osgi:org.osgi.compendium:jar:4.2.0:compile
   |  +- org.apache.maven:maven-core:jar:3.3.9:compile
   |  |  +- org.apache.maven:maven-model:jar:3.3.9:compile
   |  |  +- org.apache.maven:maven-settings:jar:3.3.9:compile
   |  |  +- org.apache.maven:maven-settings-builder:jar:3.3.9:compile
   |  |  |  \- org.apache.maven:maven-builder-support:jar:3.3.9:compile
   |  |  +- org.apache.maven:maven-repository-metadata:jar:3.3.9:compile
   |  |  +- org.apache.maven:maven-artifact:jar:3.3.9:compile
   |  |  +- org.apache.maven:maven-plugin-api:jar:3.3.9:compile
   |  |  +- org.apache.maven:maven-model-builder:jar:3.3.9:compile
   |  |  +- org.apache.maven:maven-aether-provider:jar:3.3.9:compile
   |  |  |  \- org.eclipse.aether:aether-spi:jar:1.0.2.v20150114:compile
   |  |  +- org.eclipse.aether:aether-impl:jar:1.0.2.v20150114:compile
   |  |  +- org.eclipse.aether:aether-api:jar:1.0.2.v20150114:compile
   |  |  +- org.eclipse.aether:aether-util:jar:1.0.2.v20150114:compile
   |  |  +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.2:compile
   |  |  |  \- org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.2:compile
   |  |  +- com.google.inject:guice:jar:no_aop:4.0:compile
   |  |  |  \- aopalliance:aopalliance:jar:1.0:compile
   |  |  +- org.codehaus.plexus:plexus-interpolation:jar:1.21:compile
   |  |  +- org.codehaus.plexus:plexus-classworlds:jar:2.5.2:compile
   |  |  +- org.codehaus.plexus:plexus-component-annotations:jar:1.6:compile
   |  |  \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3:compile
   |  |     \- org.sonatype.plexus:plexus-cipher:jar:1.4:compile
   |  +- org.apache.maven:maven-compat:jar:3.3.9:compile
   |  |  \- org.apache.maven.wagon:wagon-provider-api:jar:2.10:compile
   |  +- org.apache.maven.reporting:maven-reporting-api:jar:3.0:compile
   |  +- org.apache.maven:maven-archiver:jar:3.5.2:compile
   |  |  +- org.apache.maven.shared:maven-shared-utils:jar:3.3.3:compile
   |  |  +- org.apache.commons:commons-compress:jar:1.20:compile
   |  |  \- org.codehaus.plexus:plexus-archiver:jar:4.2.7:compile
   |  |     +- org.codehaus.plexus:plexus-io:jar:3.2.0:compile
   |  |     +- org.iq80.snappy:snappy:jar:0.4:compile
   |  |     \- org.tukaani:xz:jar:1.9:runtime
   |  +- org.apache.maven.shared:maven-dependency-tree:jar:3.0:compile
   |  +- org.codehaus.plexus:plexus-utils:jar:3.3.0:compile
   |  +- org.sonatype.plexus:plexus-build-api:jar:0.0.7:compile
   |  +- org.apache.maven.doxia:doxia-sink-api:jar:1.0:compile
   |  +- org.apache.maven.doxia:doxia-site-renderer:jar:1.0:compile
   |  |  +- org.apache.maven.doxia:doxia-core:jar:1.0:compile
   |  |  +- org.codehaus.plexus:plexus-i18n:jar:1.0-beta-7:compile
   |  |  +- org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-30:compile
   |  |  |  \- junit:junit:jar:4.13.2:compile
   |  |  |     \- org.hamcrest:hamcrest-core:jar:2.2:compile
   |  |  +- org.codehaus.plexus:plexus-velocity:jar:1.1.7:compile
   |  |  +- org.apache.velocity:velocity:jar:1.5:compile
   |  |  |  +- commons-lang:commons-lang:jar:2.1:compile
   |  |  |  \- oro:oro:jar:2.0.8:compile
   |  |  +- org.apache.maven.doxia:doxia-decoration-model:jar:1.0:compile
   |  |  +- org.apache.maven.doxia:doxia-module-apt:jar:1.0:compile
   |  |  +- org.apache.maven.doxia:doxia-module-fml:jar:1.0:compile
   |  |  +- org.apache.maven.doxia:doxia-module-xdoc:jar:1.0:compile
   |  |  \- org.apache.maven.doxia:doxia-module-xhtml:jar:1.0:compile
   |  \- org.jdom:jdom:jar:1.1:compile
   +- org.javassist:javassist:jar:3.21.0-GA:compile
   +- org.objenesis:objenesis:jar:2.5.1:compile
   \- it.unimi.dsi:fastutil:jar:8.5.9:compile

Affected Versions:

• 3.0.3-jdk17
• 3.0.4-jdk17

[s-rwe]

It's really an awful amount of clutter that's added by this inadvertently - would be nice to have this removed again without having to declare exclusions in all projects depending on fst :)

Edit: Snippet with corresponding exclusion, if someone else needs it in the meantime:

<dependency>
  <groupId>de.ruedigermoeller</groupId>
  <artifactId>fst</artifactId>
  <version>3.0.4-jdk17</version>
  <exclusions>
    <exclusion>
      <groupId>org.apache.felix</groupId>
      <artifactId>maven-bundle-plugin</artifactId>
    </exclusion>
  </exclusions>
</dependency>