Warning about conflicting dependencies in a new project

[Artur-]

Description of the bug

% npm init vaadin@latest hello246 

> npx
> create-vaadin hello246

✔ Example views: › Hilla (React + TypeScript)
✔ Features: › 
✔ Open project in IDE: › None
Project 'hello246' created

To run your project, open the hello246 folder in your IDE and launch the Application class

You can also run from the terminal using
- cd hello246
- mvn

% cd hello246
% mvn vaadin:build-frontend
[INFO] Scanning for projects...
[INFO] 
[INFO] ------------------< com.example.application:hello246 >------------------
....
[INFO] --- vaadin:24.6.0:build-frontend (default-cli) @ hello246 ---
[INFO] Reflections took 747 ms to scan 206 urls, producing 8951 keys and 46291 values
[INFO] Scanning classes to find frontend configurations and dependencies...
[INFO] Visited 8856 classes. Took 2399 ms.
[INFO] Checking if a production mode bundle build is needed
[INFO] Frontend build requested.
[INFO] Running `npm install` to resolve and optionally download frontend dependencies. This may take a moment, please stand by...
[INFO] using '/~/.nvm/versions/node/v22.12.0/bin/npm --no-update-notifier --no-audit --scripts-prepend-node-path=true --ignore-scripts install' for frontend package installation
[INFO] Frontend dependencies resolved successfully.
[INFO] Copying frontend resources from jar files ...
[INFO] Visited 193 resources. Took 91 ms.
[INFO] Running Vite ...
[WARNING] Found dependencies defined with different versions in project and Vaadin maven plugin.
Project dependencies are used, but plugin execution could fail if the versions are incompatible.
In case of build failure please analyze the project dependencies and update versions or configure exclusions for potential offending transitive dependencies.
You can use 'mvn dependency:tree -Dincludes=groupId:artifactId' to detect where the dependency is defined in the project.

com.fasterxml.jackson.core:jackson-core:jar: project version [2.18.1], plugin version [2.18.2]
com.fasterxml.jackson.core:jackson-databind:jar: project version [2.18.1], plugin version [2.18.2]
com.fasterxml.jackson.core:jackson-annotations:jar: project version [2.18.1], plugin version [2.18.2]
com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar: project version [2.18.1], plugin version [2.18.2]
org.apache.commons:commons-lang3:jar: project version [3.17.0], plugin version [3.16.0]
com.vaadin:license-checker:jar: project version [1.13.3], plugin version [1.13.2]
com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar: project version [2.18.1], plugin version [2.17.2]
org.yaml:snakeyaml:jar: project version [2.3], plugin version [2.2]
jakarta.xml.bind:jakarta.xml.bind-api:jar: project version [4.0.2], plugin version [2.3.3]
jakarta.activation:jakarta.activation-api:jar: project version [2.1.3], plugin version [1.2.2]
jakarta.validation:jakarta.validation-api:jar: project version [3.0.2], plugin version [2.0.2]

Expected behavior

No warning

Minimal reproducible example

as above

Versions

Vaadin 24.6.0

[mcollovati]

Messages are supposed to be printed at WARN level only if the goal execution fails; otherwise, they should be printed at DEBUG level.
The purpose is to help to investigate issues like ClassNotFoundException, NoSuchMethodException or null pointers caused Reflections not being able to load some class, etc.

We can always log at DEBUG level, but this will force the user to rerun with -X flag to get information.

[mcollovati]

com.vaadin:license-checker:jar: project version [1.13.3], plugin version [1.13.2]

This is because the license-checker has not been bumped in Flow 24.6, and it is using 1.13.2, whereas the 24.6 platform depends on 1.13.3.
Flow 24.7 has 1.13.3

EDIT: license-checker bump has been back-ported to 24.6 (#20738)

[mcollovati]

jackson version is pinned to 2.18.2 both in Flow and Hilla.
jakarta.activation:jakarta.activation-api, jakarta.validation:jakarta.validation-api, jakarta.xml.bind:jakarta.xml.bind-api and org.yaml:snakeyam dependencies come from Hilla maven plugin as jackson transitive dependencies.

INFO] |  +- com.vaadin:hilla-parser-jvm-core:jar:24.7-SNAPSHOT:compile
[INFO] |  |  +- io.github.classgraph:classgraph:jar:4.8.179:compile
[INFO] |  |  +- jakarta.annotation:jakarta.annotation-api:jar:2.1.1:compile
[INFO] |  |  \- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.18.2:compile
[INFO] |  |     +- com.fasterxml.jackson.core:jackson-databind:jar:2.18.2:compile
[INFO] |  |     +- org.yaml:snakeyaml:jar:2.3:compile
[INFO] |  |     \- com.fasterxml.jackson.core:jackson-core:jar:2.18.2:compile
[INFO] |  +- com.vaadin:hilla-parser-jvm-plugin-backbone:jar:24.7-SNAPSHOT:compile
[INFO] |  |  +- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.18.2:compile
[INFO] |  |  \- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.18.2:compile
[INFO] |  +- com.vaadin:hilla-parser-jvm-utils:jar:24.7-SNAPSHOT:compile
[INFO] |  |  +- io.swagger.core.v3:swagger-core:jar:2.2.26:compile
[INFO] |  |  |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:4.0.2:compile
[INFO] |  |  |  |  \- jakarta.activation:jakarta.activation-api:jar:2.1.3:compile
[INFO] |  |  |  +- io.swagger.core.v3:swagger-annotations:jar:2.2.26:compile
[INFO] |  |  |  \- jakarta.validation:jakarta.validation-api:jar:3.0.2:compile
[INFO] |  |  \- io.swagger.core.v3:swagger-models:jar:2.2.26:compile

[mcollovati]

About Jackson incompatibilities, the next 24.6 release will depend on Spring Boot 3.4.1 that pins Jackson 2.18.2.

In the future, we should probably bump jackson in Flow and Hilla only when it is upgraded in Spring Boot (unless there are security issues or other problems that prevent waiting for SB)

[mcollovati]

Hilla parent pom pins a couple of Apache commons dependencies to a version older than the one defined in Flow

[mcollovati]

It should be re-tested with the next platform version.
The license-checker and Spring Boot bump in addition to vaadin/hilla#3094 should remove most (or maybe all) of the incompatibilities present in the ticket description.

Probably vaadin/hilla#3094 needs to be picked to 24.6