Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing support for DependencyManagement in EnforceVersionsMojo #118

Open
lexemmens opened this issue Apr 7, 2020 · 0 comments
Open

Missing support for DependencyManagement in EnforceVersionsMojo #118

lexemmens opened this issue Apr 7, 2020 · 0 comments

Comments

@lexemmens
Copy link

The EnforceVersionsMojo currently provides no/insufficient support for the POM's DependencyManagement section. This leads to (at least) two different issues with this plugin that still allow projects/modules to depend on SNAPSHOT versions when this Mojo is executed:

  1. POM files that are effectively a Bill of Materials (BOM) and only list dependencies using DependencyManagement, can still point to SNAPSHOT versions. Therefore, when depending on a released version of a BOM, one cannot simply assume that all underlying dependencies are also released.

  2. Projects that refer a BOM with scope import using DependencyManagement, may refer to a SNAPSHOT version of that BOM (although the BOM itself may refer to released versions).

The former can be solved by evaluating the project's DependencyManagement section by calling getDependencyManagement() on the project and its collected projects.

The latter requires evaluating the pom file using an XML parser as the BOM is translated by Maven before the plugins are invoked. Therefore the Mojo only has access to its resolved dependencies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant