We need a policy on bumping dependency versions. We've had a number of issues lately related to transitive dependencies causing problems or interactions between modules. We need some additional tools to vet dependency changes, and the developer responsible for the change needs to address licensing issues in the commit. The latter part has fallen on me at release time and it's been a substantial time sink (not to mention hassle). We need to tighten up on dependencies generally.
At a minimum, I'd like to get agreement that a dependency change is followed by mvn notice:check from the project root to ensure passage, and any licensing issues are addressed in the same change set. Recommendations for tools/processes to detect dependency issues? Best case would be to ensure that there is exactly one version of a dependency in each packaged artifact, and that an overlay WAR built from every combination of modules (or at least popular ones) has exactly one version. The latter sounds time consuming at face value, but worth the effort to deployers. M -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
