[jira] (MENFORCER-138) Rule to ban all transitive dependencies

Mon, 08 Oct 2012 14:43:05 -0700 

     [ 
https://jira.codehaus.org/browse/MENFORCER-138?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Paul Gier updated MENFORCER-138:
--------------------------------

    Fix Version/s: 1.2
    
> Rule to ban all transitive dependencies
> ---------------------------------------
>
>                 Key: MENFORCER-138
>                 URL: https://jira.codehaus.org/browse/MENFORCER-138
>             Project: Maven 2.x Enforcer Plugin
>          Issue Type: New Feature
>          Components: Standard Rules
>            Reporter: Paul Gier
>            Assignee: Paul Gier
>             Fix For: 1.2
>
>
> In some projects it's necessary (or at least desirable) to have all 
> dependencies explicitly specified in pom.  We have a build requirement to use 
> a strictly controlled maven repository which includes only artifacts which 
> are necessary and have been reviewed/approved.  In order to meet this 
> requirement, each new dependency in the build much be reviewed before each 
> release.  This can be done by periodically reviewing the dependency tree and 
> cleaning up any unnecessary dependencies, but it would be more efficient if 
> the developer adding the dependency was immediately notified that new 
> (possibly unnecessary) dependencies were added to the build and not 
> explicitly defined.  The developer can immediately choose whether to exclude 
> the transitive dependency (if it's not really needed), or declare the 
> dependency and control the version using dependency management.  Doing this 
> checking up front when the build is modified is more efficient than 
> periodically reviewing the dependency tree after several upgrades may have 
> taken place.
> It In order to facilitate this use case, an enforcer rule could check that 
> all dependencies are explicitly defined unless they are specifically marked 
> to be ignored.  This would ban all transitive dependencies so that the user 
> could either add the transitive dependency directly to the pom (if it's 
> actually needed), or exclude the dependency using exclusions in the 
> dependency management, or marked to be ignored using something like an 
> <excludes> parameter similar to other standard enforcer rules.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to