> On 15 Nov 2024, at 22:21, mw...@iu.edu wrote: > > I contribute to a tree of large projects with scads of direct and > indirect dependencies. I'm looking for a way to fail the build if > certain disfavored g:a packages are directly used in our code, > declared or not. (Sometimes someone will introduce a direct > dependency on an indirect dependency and neglect to declare it, > because Maven finds it anyway.) Our dependency tree is *large* and we > are trying to trim it to nearly minimal. > > dependency:analyze-only can fail on warning, but I don't see a way to > fail *only* on undeclared used dependencies (which I would like to do > anyway). > > enforcer:enforce seems to enforce dependency exclusions only against > declared dependencies. > > Is there a way (using Maven) to require e.g. "our dependencies may > depend on log4j:log4j but we don't"? > > Is there a way (using Maven) to require that all direct dependencies > are declared, but be lax about unused dependencies?
Maven dependency plugin analyze, by configuring wildcard for used undeclared dependencies should do the trick https://maven.apache.org/plugins/maven-dependency-plugin/analyze-mojo.html#ignoredUsedUndeclaredDependencies Combining that with fail-on-warnings for dependency analyze and maven enforcer plugin bannedDependencies rule with transitive switched off (it's on by default, see https://maven.apache.org/enforcer/enforcer-rules/bannedDependencies.html) appears to be a good candidate for achieving you desired check: banning use of dependencies' classes from your own project code, but allowing them to appear transitively (and therefor potentially be used transitively by external library calls in your code) due to currently used libraries.
