You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Jimmy Axenhus (Jira)" <ji...@apache.org> on 2023/10/26 09:18:00 UTC

[jira] [Commented] (MENFORCER-494) Allow banning dynamic versions before computing the final dependency tree

    [ https://issues.apache.org/jira/browse/MENFORCER-494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17779811#comment-17779811 ] 

Jimmy Axenhus commented on MENFORCER-494:
-----------------------------------------

MENFORCER-405 and MENFORCER-406 seems to have a similar issue, but for a different rule.

> Allow banning dynamic versions before computing the final dependency tree
> -------------------------------------------------------------------------
>
>                 Key: MENFORCER-494
>                 URL: https://issues.apache.org/jira/browse/MENFORCER-494
>             Project: Maven Enforcer Plugin
>          Issue Type: Improvement
>          Components: banDynamicVersions
>    Affects Versions: 3.4.1
>            Reporter: Jimmy Axenhus
>            Priority: Major
>
> {{banDynamicVersions}} won't ban a dependency with a dynamic version if it exists multiple times in the dependency tree, as long as the final dependency tree has no dynamic version.
> As an example consider the following dependency tree where D appears multiple times.
> {noformat}
> A
> +- B
> |  \- D version 1.0
> \- C
>    \- D version [1.0,2.0){noformat}
> Before the rule {{banDynmicVersions}} is applied the final dependency tree is computed which means we end up with the following.
> {noformat}
> A
> +- B
> |  \- D version 1.0
> \- C{noformat}
> This computed dependency tree is fine by itself and has no dynamic versions but if the original dependency tree changes for whatever reason (such as D no longer being a dependency of B) the rule will now detect the dynamic version of D that C is trying to use.
> {noformat}
> A
> +- B
> \- C
>    \- D version [1.0,2.0){noformat}
> The above example is actually something that happens to me. For various reasons I have a Maven project A with the dependencies B and C being developed independently from each other. In order to have a reproducible build I've applied the {{banDynamicVersions}} rule to the entire project. As B or C might introduce or remove dependencies at will I could actually end up with B removing the dependency on D and suddenly my project won't build any longer. At that moment I do not have the possibility of making C use a fixed version of D, and I do not want to introduce a dependency on D in my project A just to resolve that (my dependency tree is much larger than this and it will be unreasonable to keep fixing things up).
> In order to solve that I want to ban dynamic versions in the entire dependency tree before the final dependency tree is computed. This currently isn't supported by the plugin.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)