On 23/11/2023 17:19, Elliotte Rusty Harold wrote:
It is possible for a client project to override transitive dependencies, but you need to be careful. Using a BOM is one of the easier ways to manage these problems: https://jlbp.dev/JLBP-15
This is exactly why it's a good idea for commonly used projects (such as all of Apache Commons) to use the latest stable dependencies themselves. If everyone is on the latest stable version, dependency hell is mitigated, more security issues get mitigated, and developers spend less time fighting with BOMs or dependency overrides.
Dependabot (and its ilk) makes this fairly straightforward in many cases. But as Gary just mentioned, incompatibilities (e.g. JUnit upgrades) do arise. Addressing those is tedious and thankless work. If no one volunteers, nothing gets done.
--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
