On 16/04/2022 at 3:09:09 AM, "Creager, Greg" <greg.crea...@hp.com.invalid> wrote:
> Is there a drawback to simply running resolve-ranges before official > builds to ensure the pom has static versions? That seems like it would > resolve having published poms with version ranges in production. > mvn versions:resolve-ranges -DprocessParent=true > On the surface that may seem like a good approach, but what we found along time ago, this led to: - The build you’re running on local dev machines, and ci servers, and on whatever machine does the release - may not actually be the same versions that were tested. - One concrete issue we saw early on what a spring related dependency that we had locked down, but that dependency itself had an open range dependency on spring with something like [2.0.0,] - when spring 3 was released, those dependencies got pulled into a build that then broke. This was on an associates project, but we had similar issues that tripped up runtime dependencies in our OSGi environment. - Rather than a giant multi-module project, we have multi-repos - so when it came to doing a hot fix of the distribution/packing, we’d take the bill of materials that was used in the version we’re replacing, and resolve ONLY a newer version of the sub-modules we’re replacing - for example: import company:company.distribution:111-ga1; allow unlocked /^.company:the-patched-artifact$/; Also on that patched artefact, we’d change that import to same released version and resolve the used dependencies specifically to what’s being replaced in production. It’s a small amount of ceremony but it has served to minimise the surface area of change for retesting. The downside of forcing [] versions and no transitives, does mean occasionally we end up with a large amount of re-releasing modules that only contain dependency version updates, often that’s only needed if major versions have changed, or minor versions of API specific artifacts. One thing I have been considering adding to this was also recording the checksums of the artifacts resolved, to help mitigate any potential side chain attacks. -- "Great artists are extremely selfish and arrogant things" — Steven Wilson, Porcupine Tree
