You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Elliotte Rusty Harold (Jira)" <ji...@apache.org> on 2019/12/15 18:07:00 UTC

[jira] [Commented] (MENFORCER-243) Create rule to check versions of dependencies

    [ https://issues.apache.org/jira/browse/MENFORCER-243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16996817#comment-16996817 ] 

Elliotte Rusty Harold commented on MENFORCER-243:
-------------------------------------------------

"Best practice is to define all dependencies via dependencyManagement block and only use those dependencies but don't override the versions."

Is this true? It's not a rule I'm familiar with and most poms don't do this. This could be added via cusotm rule. It doesn't need to be bundled, so I'm inclined to won't fix this one if no one objects.

> Create rule to check versions of dependencies
> ---------------------------------------------
>
>                 Key: MENFORCER-243
>                 URL: https://issues.apache.org/jira/browse/MENFORCER-243
>             Project: Maven Enforcer Plugin
>          Issue Type: Improvement
>            Reporter: Karl Heinz Marbaise
>            Priority: Minor
>
> Create an enforcer rule which checks if dependencies have been given using versions or not.
> Best practice is to define all dependencies via dependencyManagement block and only use those dependencies but don't override the versions. This should be checked by this enforcer rule.
> {code:xml}
> <dependencyManagement>
>   <dependencies>
>     <dependency>
>       <groupId>org.testng</groupId>
>       <artifactId>testng</artifactId>
>       <version>6.8.1</version>
>     </dependency>
>     ..
>   </dependencies>
> {code}
> Now we can use the above dependency:
> The following should not be disallowed by the enforcer rule, cause the parent can't control the version of the dependency.
> {code:xml}
>   <dependencies>
>     <dependency>
>       <groupId>org.testng</groupId>
>       <artifactId>testng</artifactId>
>       <version>6.8.1</version>
>     </dependency>
>     ..
>   </dependencies>
> {code}
> The following is allowed:
> {code:xml}
>   <dependencies>
>     <dependency>
>       <groupId>org.testng</groupId>
>       <artifactId>testng</artifactId>
>       <scope>test</scope>
>     </dependency>
>     ..
>   </dependencies>
> {code}
> Furthermore we could make a supplemental enhancement here to force usage of the {{scope}} only at the usage are not in dependencyManagement.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)