You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Slawomir Jaranowski (Jira)" <ji...@apache.org> on 2023/03/14 22:24:00 UTC

[jira] [Commented] (MENFORCER-432) requireUpperBoundDeps support for checking dependencyManagement

    [ https://issues.apache.org/jira/browse/MENFORCER-432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17700405#comment-17700405 ] 

Slawomir Jaranowski commented on MENFORCER-432:
-----------------------------------------------

Please retest with 3.2.1 version

> requireUpperBoundDeps support for checking dependencyManagement
> ---------------------------------------------------------------
>
>                 Key: MENFORCER-432
>                 URL: https://issues.apache.org/jira/browse/MENFORCER-432
>             Project: Maven Enforcer Plugin
>          Issue Type: Improvement
>          Components: Standard Rules
>    Affects Versions: 3.1.0
>            Reporter: Marcono1234
>            Priority: Minor
>
> For projects which are either used as parent by other projects, or which are used as Bill of Materials (BOM) and which declare dependencies in the {{dependencyManagement}} it would be useful if {{requireUpperBoundDeps}} was able to check the dependencies in the {{dependencyManagement}}. This would allow verifying that the versions of these managed dependencies are correct and do not cause any issues for consuming projects.
> Currently {{requireUpperBoundDeps}} seems to only check regular dependencies; this prevents it from being used directly on the parent / BOM project, but requires applying it on all consuming projects.
> It would be quite useful to already detect conflicting dependency versions directly in the parent / BOM project.
> Maybe a separate option for this (e.g. {{checkDependencyManagement}}) would be useful to allow enabling / disabling this check.
> It appears maven-dependency-tree already determines those managed dependencies in {{DefaultDependencyCollectorBuilder}} respectively {{Maven31DependencyCollectorBuilder}} (in older versions), but does not expose this information.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)