Hi Jacques, yes security is another topic and we can start a new thread on that if you wish. Suffice to say in here that dependency management in gradle although automatic allows you to customize dependencies. You can use patterns to say give me the latest minor version or latest major version or exclude this transitive dependency and so on and so forth.
On Aug 31, 2016 2:03 PM, "Jacques Le Roux" <[email protected]> wrote: > Le 31/08/2016 à 07:28, Taher Alkhateeb a écrit : > >> - And for completeness my original proposal, just let Gradle handle it >> because: >> - You will consume bandwidth either way (server to server or jcenter to >> server) >> - The build script will be simpler and cleaner >> - The deployed system will be open to change in dependencies and >> automatically handle it >> - Externalizing dependencies is not uncommon at all. It is the default >> with Django, Rails, Node.js, and even Java (inside .m2 directory). People >> usually do not want to deal with the dependency headache directly in many >> newer systems. >> > > Like Scott, it's also OK with me. There is though still one thing I > slightly worry about, as you said > > People usually do not want to deal with the dependency headache directly >> in many newer systems. >> > > I can understand that! > But I have to check Gradle is doing a good job concerning disclosed > vulnerabilities. > I mean that it always automatically downloads the latest safe external > libs versions. I guess it does but I have still to check that. This is the > purpose of OFBIZ-7930 > > Jacques > >
