[
https://issues.apache.org/jira/browse/MDEP-490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14601589#comment-14601589
]
Jonathan Haber commented on MDEP-490:
-------------------------------------
It is not a useless exclusion, I don't want junit in my dependency tree at
scope compile and bundled with my artifacts when I built a fat JAR. Another
example is org.apache.hadoop:hadoop-core:2.0.0-mr1-cdh4.6.0. It pulls in jetty,
jetty-util, jasper-runtime, jasper-compiler, jsp-api, commons-logging,
servlet-api, and hsqldb just to name a few. We don't want/need any of these
from hadoop-core so we exclude them. If one of our projects happens to have
servlet-api somewhere else in its dependency tree though, our build shouldn't
fail. The basic assumption of the plugin seems to be that if you exclude
something in one place, that means you don't ever want it anywhere else in your
dependency tree regardless of scope or version. I think this is assumption is
patently invalid in almost every real world project. And I don't think making
the plugin aware of scope and/or version solves the problem either; in the
hadoop-core example, it is very possible that we have servlet-api in our
dependency tree with the same version and scope as the one we excluded, but
hadoop-core doesn't need this dependency and the exclusion is perfectly valid.
I just want to use this goal to validate that resolved dependency versions
match what it is in dependency management. If you don't like the idea of a
flag, would you prefer I make a separate goal for this? Otherwise we will
probably just end up forking the plugin, which I think does a disservice to the
community because I think the behavior I'm asking for is what most users want.
If you want to enforce that junit doesn't appear in your dependency tree, the
maven-enforcer-plugin has more robust support for this (you can use wildcards
when banning dependencies, only ban certain version ranges, etc.)
> Add flag to analyze-dep-mgt goal to ignore exclusion errors
> -----------------------------------------------------------
>
> Key: MDEP-490
> URL: https://issues.apache.org/jira/browse/MDEP-490
> Project: Maven Dependency Plugin
> Issue Type: Improvement
> Reporter: Jonathan Haber
>
> I would like to run the analyze-dep-mgt goal with failBuild=true, but it
> doesn't work because of exclusion errors. One common example is libraries
> that accidentally depend on junit at compile scope instead of test scope.
> When I encounter a library like this, I add an exclusion on junit. But I have
> junit in my dependency tree at test scope, so my build fails with a message
> like:
> {quote}
> [INFO] junit:junit:jar was excluded in DepMgt, but version 4.11 has been
> found in the dependency tree.
> {quote}
> I think the simplest fix is to add a flag to the analyze-dep-mgt goal to
> ignore exclusion errors. I just want to use the goal to check for version
> mismatches, if I want to enforce banned dependencies the
> maven-enforcer-plugin has more robust support for this. I implemented this
> change in [this|https://github.com/apache/maven-plugins/pull/54] pull
> request.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
