[jira] [Commented] (MNG-5818) Disallow plugins from programmatically adding dependencies to projects

Fri, 03 Apr 2020 07:20:11 -0700 


    [ 
https://issues.apache.org/jira/browse/MNG-5818?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17074618#comment-17074618
 ] 

Joseph Walton commented on MNG-5818:
------------------------------------

The {{@Deprecated}} annotation is added but (e.g.) {{cobertura-maven-plugin}} 
2.7, [still calls 
{{setDependencyArtifacts}}|https://github.com/mojohaus/cobertura-maven-plugin/blob/4dbda2c19ebad2c5fe7610421254f86faf9642a6/src/main/java/org/codehaus/mojo/cobertura/CoberturaInstrumentMojo.java#L247]:
{code:java}
            Set<Artifact> set = new LinkedHashSet<Artifact>( 
this.getProject().getDependencyArtifacts() );
            set.add( coberturaArtifact );
            this.getProject().setDependencyArtifacts( set );
{code}
The comment for 
[4567c83|https://github.com/apache/maven/commit/4567c8319e95d58e258e9a8c2067ed9bbe01b58e]
 says:
{quote}I'm going to try and create a call-graph for all of Maven Central with my
 first test to see if I can accurately detect all usages of 
MavenProject.setDependencyArtifacts
 of artifact in Maven Central.
{quote}
Either that needs to happen, or this method could be deleted first and mojos 
can be fixed when breakage is noticed.

> Disallow plugins from programmatically adding dependencies to projects
> ----------------------------------------------------------------------
>
>                 Key: MNG-5818
>                 URL: https://issues.apache.org/jira/browse/MNG-5818
>             Project: Maven
>          Issue Type: Task
>            Reporter: Jason van Zyl
>            Priority: Major
>
> MavenProject.setDependencyArtifacts(deps) is publicly available to plugins 
> that can alter the classpath non-declaratively. For compatibility reasons in 
> MNG-4363 we restored this capability for the cobertura-maven-plugin but it 
> needs to be removed. It causes some nasty logic in the core, but it being 
> non-delclarative and magical is the real problem.
> We need to deprecate MavenProject.setDependencyArtifacts(deps), and replace 
> the logic for constructing the artifacts in a better. Preferably passing in 
> the artifacts in the constructor of MavenProject.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to