> On 16 Nov 2024, at 11:03, Hans Aikema <hans.aik...@aikebah.net> wrote: > > > > >>> On 15 Nov 2024, at 22:21, mw...@iu.edu wrote: >>> >> I contribute to a tree of large projects with scads of direct and >> indirect dependencies. I'm looking for a way to fail the build if >> certain disfavored g:a packages are directly used in our code, >> declared or not. (Sometimes someone will introduce a direct >> dependency on an indirect dependency and neglect to declare it, >> because Maven finds it anyway.) Our dependency tree is *large* and we >> are trying to trim it to nearly minimal. >> >> dependency:analyze-only can fail on warning, but I don't see a way to >> fail *only* on undeclared used dependencies (which I would like to do >> anyway). >> >> enforcer:enforce seems to enforce dependency exclusions only against >> declared dependencies. >> >> Is there a way (using Maven) to require e.g. "our dependencies may >> depend on log4j:log4j but we don't"? >> >> Is there a way (using Maven) to require that all direct dependencies >> are declared, but be lax about unused dependencies? > > Maven dependency plugin analyze, by configuring wildcard for used undeclared > dependencies should do the trick > https://maven.apache.org/plugins/maven-dependency-plugin/analyze-mojo.html#ignoredUsedUndeclaredDependencies >
Oops... Of course the ignore should be set for the unusedDeclared ignore setting, not the usedUndeclared https://maven.apache.org/plugins/maven-dependency-plugin/analyze-mojo.html#ignoredunuseddeclareddependencies But the page shows all the various dials you can turn to get exactly the subset of only those dependency issues you want to fail on (and you could even configure multiple executions of the plugin to get build-log warn on all issues combined with another scan with failOnWarning config for those you want to the build to fail on). > Combining that with fail-on-warnings for dependency analyze and maven > enforcer plugin bannedDependencies rule with transitive switched off (it's on > by default, see > https://maven.apache.org/enforcer/enforcer-rules/bannedDependencies.html) > appears to be a good candidate for achieving you desired check: banning use > of dependencies' classes from your own project code, but allowing them to > appear transitively (and therefor potentially be used transitively by > external library calls in your code) due to currently used libraries.
