You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@maven.apache.org by Kevin Burton <bu...@spinn3r.com> on 2015/11/12 22:22:10 UTC
Locking down dependency versions...
Is there a maven module that can lock down dependency versions?
I have a custom / in house script we wrote that writes a .dependencies file
with the jar dependencies.
If we commit without updating it, CI will fail with an error because you
didn't manually approve the change by regenerating the .dependencies file.
This way we don't have to worry about a radical dependency change due to a
new dependency breaking our tree.
The problem is I'm starting to break off our code into sub-projects and I'd
like to use this everywhere.
Kevin
--
We’re hiring if you know of any awesome Java Devops or Linux Operations
Engineers!
Founder/CEO Spinn3r.com
Location: *San Francisco, CA*
blog: http://burtonator.wordpress.com
… or check out my Google+ profile
<https://plus.google.com/102718274791889610666/posts>
Re: Locking down dependency versions...
Posted by Jeff Jensen <je...@upstairstechnology.com>.
I suggest reviewing the enforcer plugin [0] to see if any of its rules can
help you. Specifically, I wonder about [1] and [2].
I like to use many of these rules to help keep a resilient build. The main
hassle is some dependencies "bleed", but usually just need to exclude their
transitives or work with the source product to help them cleanup their pom
(and sometimes it's because "your" pom didn't declare a version for a
previously unknown transitive :-).
[0] http://maven.apache.org/enforcer/maven-enforcer-plugin/
[1]
http://maven.apache.org/enforcer/enforcer-rules/dependencyConvergence.html
[2]
http://maven.apache.org/enforcer/enforcer-rules/banTransitiveDependencies.html
On Thu, Nov 12, 2015 at 4:00 PM, Kevin Burton <bu...@spinn3r.com> wrote:
> Just regular dependency versions.
>
> So if we're using 1.0.1 of library A I don't want adding adding library B
> to transitively change our dependency on library A...
>
> This has happened to us before and caused problems.
>
> On Thu, Nov 12, 2015 at 1:40 PM, Karl Heinz Marbaise <kh...@gmx.de>
> wrote:
>
> > Hi Kevin,
> >
> > On 11/12/15 10:22 PM, Kevin Burton wrote:
> >
> >> Is there a maven module that can lock down dependency versions?
> >>
> >
> > Are you talking about SNAPSHOT's or something different?
> >
> >
> >> I have a custom / in house script we wrote that writes a .dependencies
> >> file
> >> with the jar dependencies.
> >>
> >> If we commit without updating it, CI will fail with an error because you
> >> didn't manually approve the change by regenerating the .dependencies
> file.
> >>
> >> This way we don't have to worry about a radical dependency change due
> to a
> >> new dependency breaking our tree.
> >>
> >> The problem is I'm starting to break off our code into sub-projects and
> >> I'd
> >> like to use this everywhere.
> >>
> >> Kevin
> >>
> >>
> >
> > Kind regards
> > Karl Heinz Marbaise
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> > For additional commands, e-mail: users-help@maven.apache.org
> >
> >
>
>
> --
>
> We’re hiring if you know of any awesome Java Devops or Linux Operations
> Engineers!
>
> Founder/CEO Spinn3r.com
> Location: *San Francisco, CA*
> blog: http://burtonator.wordpress.com
> … or check out my Google+ profile
> <https://plus.google.com/102718274791889610666/posts>
>
Re: Locking down dependency versions...
Posted by Jörg Schaible <jo...@swisspost.com>.
Kevin Burton wrote:
> Just regular dependency versions.
>
> So if we're using 1.0.1 of library A I don't want adding adding library B
> to transitively change our dependency on library A...
>
> This has happened to us before and caused problems.
Use a shared parent where you define all dependencies and their versions in
the dependencyManagement section. These definitions apply also to transitive
deps then. Additionally you may never declare versions directly for a
dependency ... always inherit from the depMgmt section of the shared parent.
Cheers,
Jörg
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: Locking down dependency versions...
Posted by Karl Heinz Marbaise <kh...@gmx.de>.
Hi Kevin,
On 11/12/15 11:00 PM, Kevin Burton wrote:
> Just regular dependency versions.
>
> So if we're using 1.0.1 of library A I don't want adding adding library
> B to transitively change our dependency on library A...
If you have a direct dependency to library A in version 1.0.1 than
adding an other lib B which has a dependency to library A in version
2.0.0 your project will use 1.0.1...(the shorter the distance the more
important such an dependency is)...
So i don't see the point or do i misunderstand a thing?
Kind regards
Karl Heinz Marbaise
>
> This has happened to us before and caused problems.
>
> On Thu, Nov 12, 2015 at 1:40 PM, Karl Heinz Marbaise <khmarbaise@gmx.de
> <ma...@gmx.de>> wrote:
>
> Hi Kevin,
>
> On 11/12/15 10:22 PM, Kevin Burton wrote:
>
> Is there a maven module that can lock down dependency versions?
>
>
> Are you talking about SNAPSHOT's or something different?
>
>
> I have a custom / in house script we wrote that writes a
> .dependencies file
> with the jar dependencies.
>
> If we commit without updating it, CI will fail with an error
> because you
> didn't manually approve the change by regenerating the
> .dependencies file.
>
> This way we don't have to worry about a radical dependency
> change due to a
> new dependency breaking our tree.
>
> The problem is I'm starting to break off our code into
> sub-projects and I'd
> like to use this everywhere.
>
> Kevin
>
>
>
> Kind regards
> Karl Heinz Marbaise
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> <ma...@maven.apache.org>
> For additional commands, e-mail: users-help@maven.apache.org
> <ma...@maven.apache.org>
>
>
>
>
> --
>
> We’re hiring if you know of any awesome Java Devops or Linux Operations
> Engineers!
>
> Founder/CEO Spinn3r.com <http://Spinn3r.com>
> Location: *San Francisco, CA*
> blog:**http://burtonator.wordpress.com
> … or check out my Google+ profile
> <https://plus.google.com/102718274791889610666/posts>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: Locking down dependency versions...
Posted by Kevin Burton <bu...@spinn3r.com>.
Just regular dependency versions.
So if we're using 1.0.1 of library A I don't want adding adding library B
to transitively change our dependency on library A...
This has happened to us before and caused problems.
On Thu, Nov 12, 2015 at 1:40 PM, Karl Heinz Marbaise <kh...@gmx.de>
wrote:
> Hi Kevin,
>
> On 11/12/15 10:22 PM, Kevin Burton wrote:
>
>> Is there a maven module that can lock down dependency versions?
>>
>
> Are you talking about SNAPSHOT's or something different?
>
>
>> I have a custom / in house script we wrote that writes a .dependencies
>> file
>> with the jar dependencies.
>>
>> If we commit without updating it, CI will fail with an error because you
>> didn't manually approve the change by regenerating the .dependencies file.
>>
>> This way we don't have to worry about a radical dependency change due to a
>> new dependency breaking our tree.
>>
>> The problem is I'm starting to break off our code into sub-projects and
>> I'd
>> like to use this everywhere.
>>
>> Kevin
>>
>>
>
> Kind regards
> Karl Heinz Marbaise
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>
--
We’re hiring if you know of any awesome Java Devops or Linux Operations
Engineers!
Founder/CEO Spinn3r.com
Location: *San Francisco, CA*
blog: http://burtonator.wordpress.com
… or check out my Google+ profile
<https://plus.google.com/102718274791889610666/posts>
Re: Locking down dependency versions...
Posted by Karl Heinz Marbaise <kh...@gmx.de>.
Hi Kevin,
On 11/12/15 10:22 PM, Kevin Burton wrote:
> Is there a maven module that can lock down dependency versions?
Are you talking about SNAPSHOT's or something different?
>
> I have a custom / in house script we wrote that writes a .dependencies file
> with the jar dependencies.
>
> If we commit without updating it, CI will fail with an error because you
> didn't manually approve the change by regenerating the .dependencies file.
>
> This way we don't have to worry about a radical dependency change due to a
> new dependency breaking our tree.
>
> The problem is I'm starting to break off our code into sub-projects and I'd
> like to use this everywhere.
>
> Kevin
>
Kind regards
Karl Heinz Marbaise
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org