shade plugin generate packages of dependencies in shaded-jar

[Mortinke]

Currently, the shade plugin include the packages of dependencies in the uber-jar, which can not be excluded when using the lib:

[INFO] --- maven-shade-plugin:3.2.1:shade (default) @ spring-security-jwt ---
[INFO] Including org.immutables:value-annotations:jar:2.7.5 in the shaded jar.
[INFO] Including org.immutables.vavr:vavr-encodings:jar:0.6.0 in the shaded jar.
[INFO] Including org.immutables:encode:jar:2.6.0 in the shaded jar.
[INFO] Including com.mercateo:default-immutables:jar:1.2.5 in the shaded jar.
[INFO] Including org.springframework.security:spring-security-web:jar:5.1.5.RELEASE in the shaded jar.
[INFO] Including org.springframework.security:spring-security-core:jar:5.1.5.RELEASE in the shaded jar.
[INFO] Including org.springframework:spring-aop:jar:5.1.6.RELEASE in the shaded jar.
[INFO] Including org.springframework:spring-beans:jar:5.1.6.RELEASE in the shaded jar.
[INFO] Including org.springframework:spring-context:jar:5.1.6.RELEASE in the shaded jar.
[INFO] Including org.springframework:spring-core:jar:5.1.6.RELEASE in the shaded jar.
[INFO] Including org.springframework:spring-jcl:jar:5.1.6.RELEASE in the shaded jar.
[INFO] Including org.springframework:spring-expression:jar:5.1.6.RELEASE in the shaded jar.
[INFO] Including org.springframework:spring-web:jar:5.1.6.RELEASE in the shaded jar.
[INFO] Including org.springframework.security:spring-security-config:jar:5.1.5.RELEASE in the shaded jar.
[INFO] Including com.fasterxml.jackson.core:jackson-databind:jar:2.9.8 from the shaded jar.
[INFO] Including com.fasterxml.jackson.core:jackson-core:jar:2.9.8 from the shaded jar.
[INFO] Including com.fasterxml.jackson.core:jackson-annotations:jar:2.9.8 from the shaded jar.
[INFO] Including com.auth0:java-jwt:jar:3.8.0 in the shaded jar.
[INFO] Including commons-codec:commons-codec:jar:1.11 in the shaded jar.
[INFO] Including com.auth0:jwks-rsa:jar:0.7.0 in the shaded jar.
[INFO] Including commons-io:commons-io:jar:2.6 in the shaded jar.
[INFO] Including com.google.guava:guava:jar:27.0-jre from the shaded jar.
[INFO] Including com.google.guava:failureaccess:jar:1.0 from the shaded jar.
[INFO] Including com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava from the shaded jar.
[INFO] Including com.google.code.findbugs:jsr305:jar:3.0.2 from the shaded jar.
[INFO] Including org.checkerframework:checker-qual:jar:2.5.2 in the shaded jar.
[INFO] Including com.google.errorprone:error_prone_annotations:jar:2.2.0 in the shaded jar.
[INFO] Including com.google.j2objc:j2objc-annotations:jar:1.1 in the shaded jar.
[INFO] Including org.codehaus.mojo:animal-sniffer-annotations:jar:1.17 in the shaded jar.
[INFO] Including io.vavr:vavr:jar:0.10.0 in the shaded jar.
[INFO] Including io.vavr:vavr-match:jar:0.10.0 in the shaded jar.
[INFO] Including org.slf4j:slf4j-api:jar:1.7.25 from the shaded jar.

This results in a lots of duplicate dependencies if you use the lib. The duplicate classes can't be solved as these are included as package instead of the libs:

[WARNING] Found duplicate and different classes in [com.google.guava:guava:20.0, com.mercateo.spring:spring-security-jwt:1.0.6-SNAPSHOT]:
[WARNING]   com.google.common.annotations.Beta
[WARNING]   com.google.common.annotations.GwtCompatible
[WARNING]   com.google.common.annotations.GwtIncompatible
[WARNING]   com.google.common.annotations.VisibleForTesting
[WARNING]   com.google.common.base.Absent
........
[WARNING] Found duplicate and different classes in [com.google.code.findbugs:jsr305:3.0.2, com.mercateo.spring:spring-security-jwt:1.0.6-SNAPSHOT]:
[WARNING]   javax.annotation.CheckForNull
[WARNING]   javax.annotation.CheckForSigned
[WARNING]   javax.annotation.CheckReturnValue
[WARNING]   javax.annotation.Detainted
[WARNING]   javax.annotation.MatchesPattern
[WARNING]   javax.annotation.Nonnegative
.......
[WARNING] Found duplicate and different classes in [com.mercateo.spring:spring-security-jwt:1.0.6-SNAPSHOT, org.slf4j:slf4j-api:1.7.12]:
[WARNING]   org.slf4j.ILoggerFactory
[WARNING]   org.slf4j.IMarkerFactory
[WARNING]   org.slf4j.Logger
[WARNING]   org.slf4j.LoggerFactory
.....
[WARNING] Found duplicate and different classes in [com.fasterxml.jackson.core:jackson-annotations:2.9.0, com.mercateo.spring:spring-security-jwt:1.0.6-SNAPSHOT]:
[WARNING]   com.fasterxml.jackson.annotation.JacksonAnnotation
[WARNING]   com.fasterxml.jackson.annotation.JacksonAnnotationValue
[WARNING]   com.fasterxml.jackson.annotation.JacksonAnnotationsInside
.....
[WARNING] Found duplicate and different classes in [com.fasterxml.jackson.core:jackson-core:2.9.6, com.mercateo.spring:spring-security-jwt:1.0.6-SNAPSHOT]:
[WARNING]   com.fasterxml.jackson.core.Base64Variant
[WARNING]   com.fasterxml.jackson.core.Base64Variants
[WARNING]   com.fasterxml.jackson.core.FormatFeature
[WARNING]   com.fasterxml.jackson.core.FormatSchema
.....
[WARNING] Found duplicate and different classes in [com.fasterxml.jackson.core:jackson-databind:2.9.6, com.mercateo.spring:spring-security-jwt:1.0.6-SNAPSHOT]:
[WARNING]   com.fasterxml.jackson.databind.AbstractTypeResolver
[WARNING]   com.fasterxml.jackson.databind.AnnotationIntrospector
[WARNING]   com.fasterxml.jackson.databind.BeanDescription
.....
[WARNING] Found duplicate and different classes in [com.google.guava:guava:20.0, com.mercateo.spring:spring-security-jwt:1.0.6-SNAPSHOT]:
[WARNING]   com.google.common.annotations.Beta
[WARNING]   com.google.common.annotations.GwtCompatible
[WARNING]   com.google.common.annotations.GwtIncompatible
[WARNING]   com.google.common.annotations.VisibleForTesting
[WARNING]   com.google.common.base.Absent

The shade plugin should only be used with selected content, see also https://maven.apache.org/plugins/maven-shade-plugin/examples/includes-excludes.html.

[Mortinke]

FYI: The minimizeJar option didn't work for us. We still had a lot of problems with duplicate classes.

<configuration>
   <minimizeJar>true</minimizeJar>
</configuration>