Chris Kilding created MNG-7238:
----------------------------------
Summary: Dependency deprecation indicators
Key: MNG-7238
URL: https://issues.apache.org/jira/browse/MNG-7238
Project: Maven
Issue Type: New Feature
Reporter: Chris Kilding
I would like to propose a new Maven feature: dependency deprecation indicators.
In a nutshell, the idea is to let maintainers set a 'deprecated' metadata
indicator on a Maven artifact in a repository. This will indicate to users that
the artifact should no longer be used.
The Maven CLI tools could then react to deprecation indicators in the
appropriate ways:
* {{mvn}} itself: Print a warning when deprecated dependencies are seen.
* Maven Enforcer Plugin: Add a {{<banDeprecatedDependencies>}} rule which
throws an error when deprecated dependencies are seen. (Also have a 'skip'
property which allows the rule to be temporarily bypassed if needed.)
* Maven Dependency Tree: Print a {{[deprecated]}} notice next to any
deprecated dependency in the tree.
We can also envisage automated agents like Dependabot or Snyk using these
indicators to alert developers about deprecated dependencies in their stacks,
and even assisting developers to remove them.
Some of the major build tools outside the JVM already have deprecation
indicators:
* NPM: [https://docs.npmjs.com/cli/v7/commands/npm-deprecate]
* Nuget: [https://docs.microsoft.com/en-us/nuget/nuget-org/deprecate-packages]
* Composer:
[https://tomasvotruba.com/blog/2017/07/03/how-to-deprecate-php-package-without-leaving-anyone-behind/]
* Cocoapods: [https://guides.cocoapods.org/syntax/podspec.html#deprecated]
So the feature has precedent, and I believe it would be useful to have in Maven.
This Jira ticket follows up from the conversation "Feature proposal: Dependency
deprecation indicators" on the maven-dev mailing list.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
