gitflow-helper-maven-plugin icon indicating copy to clipboard operation
gitflow-helper-maven-plugin copied to clipboard

Published 20 hours ago verified publisher icon e-gineering

Missing support for DependencyManagement in EnforceVersionsMojo

Open lexemmens opened this issue 5 years ago • 0 comments

The EnforceVersionsMojo currently provides no/insufficient support for the POM's DependencyManagement section. This leads to (at least) two different issues with this plugin that still allow projects/modules to depend on SNAPSHOT versions when this Mojo is executed:

  1. POM files that are effectively a Bill of Materials (BOM) and only list dependencies using DependencyManagement, can still point to SNAPSHOT versions. Therefore, when depending on a released version of a BOM, one cannot simply assume that all underlying dependencies are also released.

  2. Projects that refer a BOM with scope import using DependencyManagement, may refer to a SNAPSHOT version of that BOM (although the BOM itself may refer to released versions).

The former can be solved by evaluating the project's DependencyManagement section by calling getDependencyManagement() on the project and its collected projects.

The latter requires evaluating the pom file using an XML parser as the BOM is translated by Maven before the plugins are invoked. Therefore the Mojo only has access to its resolved dependencies.

lexemmens avatar Apr 07 '20 10:04 lexemmens