[
https://issues.apache.org/jira/browse/MDEP-753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17491731#comment-17491731
]
Thorsten Glaser commented on MDEP-753:
--------------------------------------
{quote}Flagging transitive compile dependencies as "non-test scoped test-only
dependency" is incorrect, because these dependencies are *not* test-only.
{quote}
This is not correct.
{quote}They are required by the compiler to compile the code.
{quote}
This is correct. But that doesn’t mean they are not test-only: only the tests
*directly* use it.
As far as I can tell, maven-dependency-plugin here attempts to do something
that is not currently possible with Maven. OpenBSD’s change to binutils (hide
transitive dependencies in the {{ld(1)}} linker if they are not also explicitly
depended on) is something I have long wished for, but it doesn’t work with the
contemporary Java™ model of just throwing all dependencies into “the” classpath.
Rather, the compiler would need to see *only* the explicitly depended-on
modules (so that using a symbol from e.g. spring-core in {{src/main/}} when not
explicitly depended on would be a compiler failure!), and only for looking
_into_ +these+ it would even consider _their_ transitive _direct_ dependencies…
and for those, theirs, etc.
I’m all for minimising the direct dependencies, of course.
In my last comment I suggested the plugin recognise the very situation in your
example and suggest proper ignore XML. Another option would be to just skip the
warnings in that case (direct dependency only in {{src/test/}} but indirect
dependency in {{compile}} scope from a module that’s directly depended on (this
part is important)). It’d be a realistic compromise.
One of the developers said the test-only analysis only looks at bytecode. But I
believe this can be done in a kind of postprocessing step. When we have a list
of test-only direct dependencies, and we can obtain a list of both direct and
transitive dependencies in nōn-test scope, and if a test-only dependency shows
up in the latter list, the warning is skipped. (Maybe it’s not that easy. Also,
to get the scopes right, there’s more than two, might be tricky. But it’d be
worthwhile.)
> Non-test dependency reported as Non-test scoped test only dependency
> --------------------------------------------------------------------
>
> Key: MDEP-753
> URL: https://issues.apache.org/jira/browse/MDEP-753
> Project: Maven Dependency Plugin
> Issue Type: Bug
> Components: analyze
> Affects Versions: 3.2.0
> Reporter: Elliotte Rusty Harold
> Assignee: Elliotte Rusty Harold
> Priority: Critical
> Fix For: 3.3.0
>
> Attachments: chas.zip, tj.zip
>
>
> Saw this when updating the google-http-java-client from 3.1.2 to 3.2.0 of the
> plugin. I'm not immediately sure whether this is a regression:
> [INFO] --- maven-dependency-plugin:3.2.0:analyze (default-cli) @
> google-http-client ---
> Warning: Non-test scoped test only dependencies found:
> Warning: com.google.guava:guava:jar:30.1.1-android:compile
> Warning: io.opencensus:opencensus-api:jar:0.28.0:compile
> Changing Guava to scope test breaks the build, which is expected based on the
> code. The warning seems incorrect.
> https://github.com/googleapis/google-http-java-client/pull/1396
> https://github.com/googleapis/google-http-java-client/pull/1396/checks?check_run_id=2809438131
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
