You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Joseph Walton (Jira)" <ji...@apache.org> on 2020/04/03 14:20:00 UTC

[jira] [Commented] (MNG-5818) Disallow plugins from programmatically adding dependencies to projects

    [ https://issues.apache.org/jira/browse/MNG-5818?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17074618#comment-17074618 ] 

Joseph Walton commented on MNG-5818:
------------------------------------

The {{@Deprecated}} annotation is added but (e.g.) {{cobertura-maven-plugin}} 2.7, [still calls {{setDependencyArtifacts}}|https://github.com/mojohaus/cobertura-maven-plugin/blob/4dbda2c19ebad2c5fe7610421254f86faf9642a6/src/main/java/org/codehaus/mojo/cobertura/CoberturaInstrumentMojo.java#L247]:
{code:java}
            Set<Artifact> set = new LinkedHashSet<Artifact>( this.getProject().getDependencyArtifacts() );
            set.add( coberturaArtifact );
            this.getProject().setDependencyArtifacts( set );
{code}
The comment for [4567c83|https://github.com/apache/maven/commit/4567c8319e95d58e258e9a8c2067ed9bbe01b58e] says:
{quote}I'm going to try and create a call-graph for all of Maven Central with my
 first test to see if I can accurately detect all usages of MavenProject.setDependencyArtifacts
 of artifact in Maven Central.
{quote}
Either that needs to happen, or this method could be deleted first and mojos can be fixed when breakage is noticed.

> Disallow plugins from programmatically adding dependencies to projects
> ----------------------------------------------------------------------
>
>                 Key: MNG-5818
>                 URL: https://issues.apache.org/jira/browse/MNG-5818
>             Project: Maven
>          Issue Type: Task
>            Reporter: Jason van Zyl
>            Priority: Major
>
> MavenProject.setDependencyArtifacts(deps) is publicly available to plugins that can alter the classpath non-declaratively. For compatibility reasons in MNG-4363 we restored this capability for the cobertura-maven-plugin but it needs to be removed. It causes some nasty logic in the core, but it being non-delclarative and magical is the real problem.
> We need to deprecate MavenProject.setDependencyArtifacts(deps), and replace the logic for constructing the artifacts in a better. Preferably passing in the artifacts in the constructor of MavenProject.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)