Skip to content

Dependency snapshot includes evicted transitive dependency #266

New issue
New issue
Open
Open
Dependency snapshot includes evicted transitive dependency#266
@daramcq

Description

@daramcq
daramcq
opened on Aug 27, 2025

Overview

We're seeing that the SBT Dependency Submission workflow is generating and uploading a dependency snapshot that includes an evicted dependency. This leads to GitHub's SBOM/Dependency graph being inaccurate.

Below is some supporting information. Please let me know if there's anything else that I can provide to help diagnose the issue.

Thanks!

Supporting information

Dependency Tree

Evicted version

Here's the relevant output from the dependency tree (sbt dependencyTree):

[info]   | | +-org.apache.avro:avro:1.9.2 (evicted by: 1.11.4)
[info]   | | +-org.apache.commons:commons-compress:1.26.1 (evicted by: 1.26.2)
[info]   | | +-org.apache.commons:commons-compress:1.26.2
[info]   | | | +-commons-codec:commons-codec:1.17.0
[info]   | | | +-commons-io:commons-io:2.16.1
[info]   | | | +-org.apache.commons:commons-lang3:3.14.0

Evictee version

[info]   +-org.apache.flink:flink-avro:1.18.1
[info]   | +-com.google.code.findbugs:jsr305:1.3.9 (evicted by: 3.0.2)
[info]   | +-com.google.code.findbugs:jsr305:3.0.2
[info]   | +-org.apache.avro:avro:1.11.3 (evicted by: 1.11.4)
[info]   | +-org.apache.avro:avro:1.11.4
[info]   | | +-com.fasterxml.jackson.core:jackson-core:2.14.3 (evicted by: 2.15.2)
[info]   | | +-com.fasterxml.jackson.core:jackson-core:2.15.2
[info]   | | +-com.fasterxml.jackson.core:jackson-databind:2.13.4.2
[info]   | | | +-com.fasterxml.jackson.core:jackson-annotations:2.13.4 (evicted by: 2..
[info]   | | | +-com.fasterxml.jackson.core:jackson-annotations:2.15.2
[info]   | | | +-com.fasterxml.jackson.core:jackson-core:2.13.4 (evicted by: 2.15.2)
[info]   | | | +-com.fasterxml.jackson.core:jackson-core:2.15.2

Snapshot

Evicted version

After running > githubGenerateSnapshot, I found the following in the generated snapshot:

        "org.apache.avro:avro:1.9.2": {
          "package_url": "pkg:maven/org.apache.avro/[email protected]",
          "metadata": {
            "config": "provided"
          },
          "relationship": "indirect",
          "scope": "runtime",
          "dependencies": [
            "org.apache.commons:commons-compress:1.26.1",
            "com.fasterxml.jackson.core:jackson-core:2.13.4"
          ]
        },

Evictee version

        "org.apache.avro:avro:1.11.4": {
          "package_url": "pkg:maven/org.apache.avro/[email protected]",
          "metadata": {
            "config": "compile"
          },
          "relationship": "indirect",
          "scope": "runtime",
          "dependencies": [
            "com.fasterxml.jackson.core:jackson-databind:2.13.4.2",
            "org.slf4j:slf4j-api:1.7.36",
            "com.fasterxml.jackson.core:jackson-core:2.15.2",
            "org.apache.commons:commons-compress:1.26.2"
          ]
        },

Dependency source

        "org.apache.hadoop:hadoop-common:3.4.1": {
          "package_url": "pkg:maven/org.apache.hadoop/[email protected]",
          "metadata": {
            "config": "compile"
          },
          "relationship": "direct",
          "scope": "runtime",
          "dependencies": [
            "org.apache.avro:avro:1.11.4", 
             "truncated for brevity",
            "org.apache.avro:avro:1.9.2",
          ]
        },

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions