[
https://issues.apache.org/jira/browse/CAMEL-22967?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18066743#comment-18066743
]
Guillaume Nodet commented on CAMEL-22967:
-----------------------------------------
Investigation notes (March 2026):
* maven-dependency-plugin v3.10.0 is already declared in pluginManagement but
has no execution configured
* Sample analysis on camel-jetty: 21 used-undeclared deps, 11 unused-declared
deps, 6 non-test scoped test-only deps
* Sample analysis on camel-kafka: 17 used-undeclared deps, 10 unused-declared
deps
* ~463 modules would be affected — this is a large-scale effort
Recommended approach:
# Phase 1: Add an opt-in {{-Pdep-check}} profile with {{failOnWarning=false}},
following existing build patterns (like {{-Psbom}})
# Phase 2: Create exclusion strategy for known false positives (transitive deps
used intentionally)
# Phase 3: Optional non-blocking CI workflow to surface warnings on PRs
# Phase 4: Gradual per-module cleanup over releases
Minimal config for the profile:
{code:xml}
<profile>
<id>dep-check</id>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<phase>verify</phase>
<goals><goal>analyze</goal></goals>
<configuration>
<failOnWarning>false</failOnWarning>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
{code}
> [build] Add the dependency analyze maven feature
> ------------------------------------------------
>
> Key: CAMEL-22967
> URL: https://issues.apache.org/jira/browse/CAMEL-22967
> Project: Camel
> Issue Type: Task
> Reporter: Pasquale Congiusti
> Priority: Minor
>
> We are not executing this plugin which may turns very useful to help in
> dependency management in long term. As an example taken from a random
> component:
> {code}
> [INFO] --- dependency:3.9.0:analyze (default-cli) @ camel-jetty ---
> [WARNING] Used undeclared dependencies found:
> [WARNING] org.apache.camel:camel-attachments:jar:4.18.0-SNAPSHOT:compile
> [WARNING] org.apache.camel:camel-mock:jar:4.18.0-SNAPSHOT:test
> [WARNING] org.hamcrest:hamcrest:jar:2.2:test
> [WARNING] jakarta.xml.bind:jakarta.xml.bind-api:jar:4.0.4:compile
> [WARNING] org.apache.camel:camel-core-model:jar:4.18.0-SNAPSHOT:compile
> [WARNING] jakarta.activation:jakarta.activation-api:jar:2.1.4:compile
> [WARNING] org.apache.camel:camel-test-junit5:jar:4.18.0-SNAPSHOT:test
> [WARNING] org.apache.camel:camel-api:jar:4.18.0-SNAPSHOT:compile
> [WARNING] org.junit.jupiter:junit-jupiter-api:jar:5.13.4:test
> [WARNING] org.apache.httpcomponents.core5:httpcore5:jar:5.3.6:test
> [WARNING] org.eclipse.jetty:jetty-io:jar:12.1.6:compile
> [WARNING] org.apache.camel:camel-util:jar:4.18.0-SNAPSHOT:compile
> [WARNING] org.slf4j:slf4j-api:jar:2.0.17:compile
> [WARNING] org.apache.logging.log4j:log4j-api:jar:2.25.3:test
> [WARNING] com.fasterxml.jackson.core:jackson-annotations:jar:2.19.4:test
> [WARNING] org.mockito:mockito-core:jar:5.21.0:test
> [WARNING] org.apache.camel:camel-core-engine:jar:4.18.0-SNAPSHOT:test
> [WARNING] org.apache.camel:camel-http-base:jar:4.18.0-SNAPSHOT:compile
> [WARNING] jakarta.servlet:jakarta.servlet-api:jar:6.1.0:compile
> [WARNING] org.springframework:spring-context:jar:6.2.15:test
> [WARNING] org.eclipse.jetty:jetty-http:jar:12.1.6:compile
> [WARNING] Unused declared dependencies found:
> [WARNING] org.eclipse.jetty.ee10:jetty-ee10-servlets:jar:12.1.6:compile
> [WARNING] org.eclipse.jetty:jetty-client:jar:12.1.6:compile
> [WARNING] org.apache.camel:camel-management:jar:4.18.0-SNAPSHOT:test
> [WARNING] org.apache.camel:camel-spring-xml:jar:4.18.0-SNAPSHOT:test
> [WARNING] org.apache.camel:camel-xpath:jar:4.18.0-SNAPSHOT:test
> [WARNING] org.assertj:assertj-core:jar:3.27.7:test
> [WARNING] org.apache.camel:camel-openapi-java:jar:4.18.0-SNAPSHOT:test
> [WARNING] org.apache.camel:camel-jackson:jar:4.18.0-SNAPSHOT:test
> [WARNING] org.apache.camel:camel-jacksonxml:jar:4.18.0-SNAPSHOT:test
> [WARNING] org.junit.jupiter:junit-jupiter:jar:5.13.4:test
> [WARNING] org.apache.logging.log4j:log4j-slf4j2-impl:jar:2.25.3:test
> [WARNING] Non-test scoped test only dependencies found:
> [WARNING] jakarta.xml.bind:jakarta.xml.bind-api:jar:4.0.4:compile
> [WARNING] org.eclipse.jetty:jetty-security:jar:12.1.6:compile
> [WARNING] org.eclipse.jetty.ee10:jetty-ee10-servlet:jar:12.1.6:compile
> [WARNING] org.apache.camel:camel-core-model:jar:4.18.0-SNAPSHOT:compile
> [WARNING] org.apache.camel:camel-util:jar:4.18.0-SNAPSHOT:compile
> [WARNING] org.eclipse.jetty:jetty-http:jar:12.1.6:compile
> {code}
> This example shows we have grown a chaotic dependency management which is not
> really declaring what each component directly use and instead leverage the
> transitive dependencies which may disappear at any point in time during the
> evolution of the software.
> I advocate to introduce this plugin as a warning only during our regular
> build (which will also show up locally, so, each dev can clean and fix the
> problems he discovers). Additionally we can introduce a github action which
> fails the PR that introduces any change which is not compliant. The latter
> can be a parallel action to run during each PR and be not enforced at the
> beginning (while we need time to clean older tech debt). In the long run
> (when all the project is clean) it may turn into a policy enforncement rule.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
