Howdy, This is IMHO not a good idea. Locking down plugins by locking down Maven.... is too implicit for my taste.
For start, we provide a set of tools to help "locking down" (https://issues.apache.org/jira/browse/MNG-8408) but also maintain them (versions plugin or toolbox:plugin-versions and alike). Maven is not a "curated set of plugins" we usually "just update" when we feel so. It is the user who should maintain the versions. Finally, one can still enforce a Maven version usable with build, this is usually used to set "minimum version" (open range) but one can use a very narrow closed range as well.. Thanks T On Mon, Feb 3, 2025 at 2:07 PM Lars Bruun-Hansen <lbr...@apache.org> wrote: > > -- DISCUSSION -- > > MNG-6562 introduced the warning : > > "Version not locked for default bindings plugins [maven-clean-plugin, > maven-resources-plugin, maven-compiler-plugin, maven-surefire-plugin, > maven-jar-plugin, maven-install-plugin], you should define versions in > pluginManagement section of your pom.xml or parent." > > The warning was added before the Maven Wrapper became popular. For a > project that uses Maven Wrapper the warning does not make sense to me: > those plugin versions are indeed de-facto locked. Right? The build is > already reproducible and will always yield the same result regardless on > which platform it is executed. (We must assume that users are aware that > IF a project contains a Maven Wrapper then it is because you are > supposed to use it! (i.e. execute 'mvnw' , not 'mvn')). > > The warning leads to the user rushing to extend/complicate his POM while > this is unnecessary when using the wrapper. I believe the "lock" between > a specific Maven version (e.g. v3.9.2) and its default plugin versions > is something that to the user should be equally good as adding that long > list of dependencies to the POM. I get it that we want to educate users > that Maven is "a collection of plugins" but in reality users see the > Maven version as a CURATED set of plugin dependencies. Which indeed it > is, right? > > My suggestion is to not print this warning if the build is being > executed by the Maven Wrapper. I don't know if this possible, i.e. > detecting that mvn is being executed by the wrapper? > > Spitballing : Also, the POM could have some kind of setting to signal to > Maven that it MUST be executed via the wrapper. Or at least that is is > INTENDED to be executed using the wrapper. Then Maven could execute a > warning(or fail) if that is not the case. > > > Alternatively: extend the warning message: > "If you have de-facto locked the Maven version, for example by using the > Maven Wrapper, then you can ignore this warning." > > > WDYT? > > > > /Lars > > > PS : As it may be obvious, I'm a great fan of the Wrapper and I believe > it should be advocated more and projects should have a very good reason > NOT to use it. Luckily, many project initializers add it by default > (e.g. Spring Initializr) but the Maven Project itself doesn't make that > much out of it. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
