Maven Enforcer Plugin's Require Upper Bound Dependencies might be enough for your use-case (also notice there's a Require Release Dependencies rule to prohibit snapshot dependencies) http://maven.apache.org/enforcer/enforcer-rules/requireUpperBoundDeps.html
Le mar. 15 août 2017 12:06, Mark Raynsford <[email protected]> a écrit : > Hello. > > I've recently been considering moving to byte-for-byte reproducible > builds of my software packages. It seems fairly easy to get there via > plugins such as the reproducible-build-maven-plugin [0] as long as the > build isn't otherwise unreproducible, but one thing that I am unsure of > is whether or not it's possible to detect and fail the build if a > (transitive) dependency is using version ranges. > > For example, if I declare a dependency on a package P and P declares a > dependency on Q using a version range, then my build is effectively > nondetermimistic (because a new version of Q may appear at any time). > As a consumer of P, I may be totally unaware of Q and therefore won't > know to override the versions of Q in my own dependencyManagement > section. > > Is there a plugin that can reject the use of version ranges anywhere in > the transitive dependency tree? > > I'm currently using scijava's plugin to reject snapshot versions [1], > and am using the dependency plugin to fail builds with undeclared > dependencies. > > [0] https://github.com/Zlika/reproducible-build-maven-plugin > [1] https://github.com/scijava/scijava-maven-plugin > > -- > Mark Raynsford | http://www.io7m.com >
