[
https://issues.apache.org/jira/browse/SOLR-15984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17488453#comment-17488453
]
David Smiley commented on SOLR-15984:
-------------------------------------
I suppose this will help but only for direct dependencies. For transitive,
they can sneak-in still. Our global versions.lock file is helpful but doesn't
differentiate between a test transitive and a shipping/distribution transitive.
A down-side to the check you propose to add is that it will force us to
explicitly declare dependencies in our build – extra busy-work. Not a big deal.
My wish for dependency management checks: for each module, have the dependency
tree generated to a file that is checked-in to source control. During
precommit, ensure this matches the tree or fail. Easy; ehh? Henceforth,
changes will be seen in PRs (and Git history) with plenty of context on the
dependency change. WDYT [~dweiss] ?
> Ensure all used dependencies are declared
> -----------------------------------------
>
> Key: SOLR-15984
> URL: https://issues.apache.org/jira/browse/SOLR-15984
> Project: Solr
> Issue Type: Task
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Build
> Reporter: Kevin Risden
> Assignee: Kevin Risden
> Priority: Major
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> Solr uses a bunch of dependencies that are not declared inside build.gradle
> files. These dependencies are pull in transitively instead of declared
> explicitly. This makes it easy for new dependencies to be added without
> seeing the impact.
> https://github.com/gradle-dependency-analyze/gradle-dependency-analyze can be
> used to find used but undeclared dependencies during the build process.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
