I contribute to a tree of large projects with scads of direct and indirect dependencies. I'm looking for a way to fail the build if certain disfavored g:a packages are directly used in our code, declared or not. (Sometimes someone will introduce a direct dependency on an indirect dependency and neglect to declare it, because Maven finds it anyway.) Our dependency tree is *large* and we are trying to trim it to nearly minimal.
dependency:analyze-only can fail on warning, but I don't see a way to fail *only* on undeclared used dependencies (which I would like to do anyway). enforcer:enforce seems to enforce dependency exclusions only against declared dependencies. Is there a way (using Maven) to require e.g. "our dependencies may depend on log4j:log4j but we don't"? Is there a way (using Maven) to require that all direct dependencies are declared, but be lax about unused dependencies? (Once we get the undeclareds cleaned up, we may go after the unuseds.) -- Mark H. Wood Lead Technology Analyst University Library Indiana University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 library.indianapolis.iu.edu
signature.asc
Description: PGP signature
