[
https://issues.apache.org/jira/browse/FINERACT-1002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17114917#comment-17114917
]
Petri Tuomola edited comment on FINERACT-1002 at 5/23/20, 6:39 PM:
-------------------------------------------------------------------
So the first two cases (no version and specific version) are nicely covered in
the dependency management plugin reference documentation:
[https://docs.spring.io/dependency-management-plugin/docs/current-SNAPSHOT/reference/html/#dependency-management-configuration-bom-import-override-dependency-management]
I was not able to find a document for the third case of using a dynamic
version, but looking at the relevant pull requests suggests my understanding
was correct:
[https://github.com/spring-gradle-plugins/dependency-management-plugin/commit/03237ef908e5cd60a8370f320484e6b311a04d2f]
So direct dependencies with dynamic version (e.g. "+") are ignored by the
dependency management plugin's efforts to use the BOM versions, which means the
Gradle functionality will pick up the latest available version from e.g. Maven
Central, as described here:
[https://docs.gradle.org/current/userguide/dynamic_versions.html#sub:declaring_dependency_with_dynamic_version]
was (Author: ptuomola):
So the first two cases (no version and specific version) are nicely covered in
the dependency management plugin reference documentation:
[https://docs.spring.io/dependency-management-plugin/docs/current-SNAPSHOT/reference/html/#dependency-management-configuration-bom-import-override-dependency-management]
I was not able to find a document for the third case of using a dynamic
version, but looking at the relevant pull requests suggests my understanding
was correct:
[https://github.com/spring-gradle-plugins/dependency-management-plugin/commit/03237ef908e5cd60a8370f320484e6b311a04d2f]
So direct dependencies with dynamic version (e.g. "+") are ignored by the
dependency management plugin, which means the Gradle functionality will pick up
the latest available version, as described here:
[https://docs.gradle.org/current/userguide/dynamic_versions.html#sub:declaring_dependency_with_dynamic_version]
> Remove all usages of '+' versions in build.gradle
> -------------------------------------------------
>
> Key: FINERACT-1002
> URL: https://issues.apache.org/jira/browse/FINERACT-1002
> Project: Apache Fineract
> Issue Type: Bug
> Reporter: Michael Vorburger
> Priority: Blocker
>
> While code reviewing [~natashan]'s
> https://github.com/apache/fineract/pull/927 I thought again about the
> exchange we had with [~xurror] during FINERACT-805 re. our use of "+"
> versions in our build.gradle - and decided that this seems like something we
> really should have a dedicated new issue for...
> Unless I misunderstand something (which is possible), our current use of '+'
> could actually be source of future build instability (if they indeed cause
> the "latest available version" to be used, instead of a fixed one). Therefore
> to me this seems to be more of a Blocker than just some nice to have...
> What I'm not super clear about is what exactly that '+' means. Is it the
> latest version from the fixed version of the Spring BOM? Then it would
> actually be fixed, right? Or is it the latest (major/minor?) version
> available on Maven Central? Then it would be (very) unstable.. It would be
> good for someone to be able to find an authoritative link to some doc about
> this.
> Would it make sense to replace all our usages of '+' versions in build.gradle
> with fixed versions? Or is this not required? -- And if we do, let's clarify
> that inline comment I put on top of the file to be more clear and directive
> (replace "we should also avoid" by "do not use").
> [~awasum] [~ptuomola] [~Percy Ashu] any input to this? Interest in taking
> this?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
