You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Jimmy Axenhus (Jira)" <ji...@apache.org> on 2023/10/26 09:18:00 UTC
[jira] [Commented] (MENFORCER-494) Allow banning dynamic versions before computing the final dependency tree
[ https://issues.apache.org/jira/browse/MENFORCER-494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17779811#comment-17779811 ]
Jimmy Axenhus commented on MENFORCER-494:
-----------------------------------------
MENFORCER-405 and MENFORCER-406 seems to have a similar issue, but for a different rule.
> Allow banning dynamic versions before computing the final dependency tree
> -------------------------------------------------------------------------
>
> Key: MENFORCER-494
> URL: https://issues.apache.org/jira/browse/MENFORCER-494
> Project: Maven Enforcer Plugin
> Issue Type: Improvement
> Components: banDynamicVersions
> Affects Versions: 3.4.1
> Reporter: Jimmy Axenhus
> Priority: Major
>
> {{banDynamicVersions}} won't ban a dependency with a dynamic version if it exists multiple times in the dependency tree, as long as the final dependency tree has no dynamic version.
> As an example consider the following dependency tree where D appears multiple times.
> {noformat}
> A
> +- B
> | \- D version 1.0
> \- C
> \- D version [1.0,2.0){noformat}
> Before the rule {{banDynmicVersions}} is applied the final dependency tree is computed which means we end up with the following.
> {noformat}
> A
> +- B
> | \- D version 1.0
> \- C{noformat}
> This computed dependency tree is fine by itself and has no dynamic versions but if the original dependency tree changes for whatever reason (such as D no longer being a dependency of B) the rule will now detect the dynamic version of D that C is trying to use.
> {noformat}
> A
> +- B
> \- C
> \- D version [1.0,2.0){noformat}
> The above example is actually something that happens to me. For various reasons I have a Maven project A with the dependencies B and C being developed independently from each other. In order to have a reproducible build I've applied the {{banDynamicVersions}} rule to the entire project. As B or C might introduce or remove dependencies at will I could actually end up with B removing the dependency on D and suddenly my project won't build any longer. At that moment I do not have the possibility of making C use a fixed version of D, and I do not want to introduce a dependency on D in my project A just to resolve that (my dependency tree is much larger than this and it will be unreasonable to keep fixing things up).
> In order to solve that I want to ban dynamic versions in the entire dependency tree before the final dependency tree is computed. This currently isn't supported by the plugin.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)