lint-maven-plugin icon indicating copy to clipboard operation
lint-maven-plugin copied to clipboard

Published 20 hours ago verified publisher icon lewisd32

I feel like having non-test scoped <dependencies/> in a pom packaging project is something that could be checked by maven lint

Open idcmp opened this issue 11 years ago • 2 comments

So, we had a situation where we depending on a war project for some html files. We did this as a straight war dependency and let maven and the war plugin do the necessary overlay magic.

However, their war was accidentally including (unused) Spring jars in the WEB-INF/lib directory.

It was doing so because the parent project of their war had a <dependencies> stanza (instead of <dependencyManagement>) listing Spring and a few other things.

Worse, they had a jar project with the same parent that was relying on the dependency stanza being there.

I feel like there's almost never a reason to have dependencies listed in a pom project, instead they should be dependencyManagement.

I could be wrong though.

idcmp avatar Sep 06 '13 19:09 idcmp

Sry, I dont understand your issue.

lkwg82 avatar Sep 06 '13 20:09 lkwg82

This is actually something idcmp and I discussed elsewhere, that I asked him to raise as an issue here. I'll explain the reasoning.

In a pom-type Maven project, that is the parent of other modules, listing versions and scopes in <dependencyManagement> is the recommended way of maintaining versions in single place, in a multi-module project. However, it is rare to include <dependencies> (as opposed to <dependencyManagement>) in these parent projects. The sole legitimate use of this I've seen is to add things like junit, jmock, mockito, hamcrest, etc, in the test scope. Since test scope dependencies won't become transitive dependencies when other projects depend on yours, this doesn't create a mess. Including, for example, spring, in the <dependencies> of a pom-type parent project would mean every single project that uses it as a parent, and any project that depends on those children, would all end up with a dependency or transitive dependency on spring. Unless all modules in the multi-module project truly require spring (which I've found to be rare), including spring in the <dependencies> of the parent leads to unnecessary dependencies, a bit of a mess.

The lint maven plugin could easily enforce that all dependencies that aren't in <dependencyManagement>, in pom-type projects, are in the test scope.

In the rare case where one might actually want to do that (eg. log4j, slf4j, etc) it's easy enough to add a NOLINT comment in the pom to allow it.

lewisd32 avatar Sep 06 '13 20:09 lewisd32