Summary
The junit-jupiter dependencies in metaschema-java modules are being pulled in with compile scope instead of test scope. This causes downstream projects (e.g., oscal-cli) to inadvertently include junit jars in their runtime distribution packages.
Evidence
When running mvn dependency:tree -Dverbose on oscal-cli, the output shows:
(org.junit.jupiter:junit-jupiter:jar:6.0.1:compile - version managed from 5.12.0; omitted for duplicate)
This is coming from metaschema-java modules (metaschema-core, metaschema-databind, cli-processor, etc.).
Impact
- junit-jupiter jars (6 jars, ~1.3MB total) are included in runtime distribution lib folders
- Unnecessary bloat in production deployments
- Confusing for users who see test framework jars in production artifacts
Expected Behavior
junit dependencies should have <scope>test</scope> and should not appear in runtime/compile dependency trees of downstream projects.
Suggested Fix
Review the dependency declarations in the parent pom or individual module poms to ensure junit-jupiter has test scope.
Summary
The
junit-jupiterdependencies in metaschema-java modules are being pulled in withcompilescope instead oftestscope. This causes downstream projects (e.g., oscal-cli) to inadvertently include junit jars in their runtime distribution packages.Evidence
When running
mvn dependency:tree -Dverboseon oscal-cli, the output shows:This is coming from metaschema-java modules (metaschema-core, metaschema-databind, cli-processor, etc.).
Impact
Expected Behavior
junit dependencies should have
<scope>test</scope>and should not appear in runtime/compile dependency trees of downstream projects.Suggested Fix
Review the dependency declarations in the parent pom or individual module poms to ensure junit-jupiter has test scope.