[
https://issues.apache.org/jira/browse/FINERACT-1002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17114917#comment-17114917
]
Petri Tuomola commented on FINERACT-1002:
-----------------------------------------
So the first two cases (no version and specific version) are nicely covered in
the dependency management plugin reference documentation:
[https://docs.spring.io/dependency-management-plugin/docs/current-SNAPSHOT/reference/html/#dependency-management-configuration-bom-import-override-dependency-management]
I was not able to find a document for the third case of using a dynamic
version, but looking at the relevant pull requests suggests my understanding
was correct:
[https://github.com/spring-gradle-plugins/dependency-management-plugin/commit/03237ef908e5cd60a8370f320484e6b311a04d2f]
So direct dependencies with dynamic version (e.g. "+") are ignored by the
dependency management plugin, which means the Gradle functionality will pick up
the latest available version, as described here:
[https://docs.gradle.org/current/userguide/dynamic_versions.html#sub:declaring_dependency_with_dynamic_version]
> Remove all usages of '+' versions in build.gradle
> -------------------------------------------------
>
> Key: FINERACT-1002
> URL: https://issues.apache.org/jira/browse/FINERACT-1002
> Project: Apache Fineract
> Issue Type: Bug
> Reporter: Michael Vorburger
> Priority: Blocker
>
> While code reviewing [~natashan]'s
> https://github.com/apache/fineract/pull/927 I thought again about the
> exchange we had with [~xurror] during FINERACT-805 re. our use of "+"
> versions in our build.gradle - and decided that this seems like something we
> really should have a dedicated new issue for...
> Unless I misunderstand something (which is possible), our current use of '+'
> could actually be source of future build instability (if they indeed cause
> the "latest available version" to be used, instead of a fixed one). Therefore
> to me this seems to be more of a Blocker than just some nice to have...
> What I'm not super clear about is what exactly that '+' means. Is it the
> latest version from the fixed version of the Spring BOM? Then it would
> actually be fixed, right? Or is it the latest (major/minor?) version
> available on Maven Central? Then it would be (very) unstable.. It would be
> good for someone to be able to find an authoritative link to some doc about
> this.
> Would it make sense to replace all our usages of '+' versions in build.gradle
> with fixed versions? Or is this not required? -- And if we do, let's clarify
> that inline comment I put on top of the file to be more clear and directive
> (replace "we should also avoid" by "do not use").
> [~awasum] [~ptuomola] [~Percy Ashu] any input to this? Interest in taking
> this?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
