I have such configuration in pom.xml:
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.9.4</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.4</version>
</dependency>
But unfortunately mvn dependency:tree shows me that commons-beanutils has dependency: commons-collections 3.x:
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] | \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] +- org.apache.commons:commons-collections4:jar:4.4:compile
I don't want Common Collection 3 in my code but it's possible that someone uses a class from this library by mistake (instead of Common Collective 4, which is preferred version).
As you see in dependency tree - I can't exclude the Common Collection 3, because it is used (can occur java.lang.NoClassDefFoundError).
Question:
How to protect my code base against pollution of Commons Collection 3 API?
You can use the dependency:analyze-only
https://maven.apache.org/plugins/maven-dependency-plugin/analyze-only-mojo.html
to check whether you use undeclared dependencies, i.e. you use a transitive dependency without explicitly declaring it.
If you don't want this in your build, but just check it occasionally, you can use dependency:analyze from the command line.