[ https://issues.apache.org/jira/browse/MDEP-753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17491733#comment-17491733 ]
Henning Schmiedehausen edited comment on MDEP-753 at 2/14/22, 12:39 AM: ------------------------------------------------------------------------ Thorsten, I really appreciate that you look into this problem and that you are trying to solve it. However, you keep looking at it the wrong way: - This is not OpenBSD. I know that you use that as an example but it does not change anything. They can do whatever they want to their users, it may be an interesting data point but should not serve as an example ("Starbucks no longer gives free cups to customers, so Peet's can not do that either" is not an argument that holds water for me) - the dependency plugin has an understood behavior for many years (15 to be exact). Changing this now as part of a "3.1 -> 3.x" transition is wrong and the wrong approach to users - you are arguing that the "current behavior is wrong and needs to be changed". What you experience right now is Hyrum's law (hi [~hwright]). The current behavior is what users expect and changing it leads to user pushback. those are the problems. What I suggest to make this a successful transition: - put these new checks under a switch ("enableStrictDependencyChecks"), turn it off by default. Release. That will make all the difference to the people stuck on 3.1.2 right now - turn the switch on by default in a later release. People can still go back by saying "I don't want that". - work with the core maven team to change the core resolver behavior. Make the dependency plugin match that. This is a long game (but then again we do have three different dependency resolvers already, why not have a fourth?) But what you are doing right now is *user unfriendly*. And that is IMHO not the right thing to do. was (Author: hgschmie): Thorsten, I really appreciate that you look into this problem and that you are trying to solve it. However, you keep looking at it the wrong way: - This is not OpenBSD. I know that you use that as an example but it does not change anything. They can do whatever they want to their users, that is may be an interesting data point but should not serve as an example ("Starbucks no longer gives free cups to customers, so Peet's can not do that either" is not an argument that hold water") - the dependency plugin has an understood behavior for many years (15 to be exact). Changing this now as part of a "3.1 -> 3.x" transition is wrong and the wrong approach to users - you are arguing that the "current behavior is wrong and needs to be changed". What you experience right now is Hyrum's law (hi [~hwright]). The current behavior is what users expect and changing it leads to user pushback. those are the problems. What I suggest to make this a successful transition: - put these new checks under a switch ("enableStrictDependencyChecks"), turn it off by default. Release. That will make all the difference to the people stuck on 3.1.2 right now - turn the switch on by default in a later release. People can still go back by saying "I don't want that". - work with the core maven team to change the core resolver behavior. Make the dependency plugin match that. This is a long game (but then again we do have three different dependency resolvers already, why not have a fourth?) But what you are doing right now is *user unfriendly*. And that is IMHO not the right thing to do. > Non-test dependency reported as Non-test scoped test only dependency > -------------------------------------------------------------------- > > Key: MDEP-753 > URL: https://issues.apache.org/jira/browse/MDEP-753 > Project: Maven Dependency Plugin > Issue Type: Bug > Components: analyze > Affects Versions: 3.2.0 > Reporter: Elliotte Rusty Harold > Assignee: Elliotte Rusty Harold > Priority: Critical > Fix For: 3.3.0 > > Attachments: chas.zip, tj.zip > > > Saw this when updating the google-http-java-client from 3.1.2 to 3.2.0 of the > plugin. I'm not immediately sure whether this is a regression: > [INFO] --- maven-dependency-plugin:3.2.0:analyze (default-cli) @ > google-http-client --- > Warning: Non-test scoped test only dependencies found: > Warning: com.google.guava:guava:jar:30.1.1-android:compile > Warning: io.opencensus:opencensus-api:jar:0.28.0:compile > Changing Guava to scope test breaks the build, which is expected based on the > code. The warning seems incorrect. > https://github.com/googleapis/google-http-java-client/pull/1396 > https://github.com/googleapis/google-http-java-client/pull/1396/checks?check_run_id=2809438131 -- This message was sent by Atlassian Jira (v8.20.1#820001)