Maven Enforcer Plugin
  1. Maven Enforcer Plugin
  2. MENFORCER-128

Fail the build if a dependency is overwriten with an incompatible lower version (patch)

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.1
    • Component/s: Standard Rules
    • Labels:
      None
    • Flags:
      Patch

      Description

      Overwriting a dependency to a lower version than any of your other dependencies need should fail the build if this new enforcer rule is active.

      For example, this is bad:

        <dependencies>
          <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-api</artifactId>
            <version>1.4.0</version>
          </dependency>
          <dependency>
            <groupId>ch.qos.logback</groupId>
            <artifactId>logback-classic</artifactId>
            <version>0.9.9</version>
            <!-- Depends on org.slf4j:slf4j-api:1.5.0 -->
          </dependency>
        </dependencies>
      

      Attaching patch in a few minutes.

      1. MENFORCER-128.patch
        23 kB
        Geoffrey De Smet

        Activity

        Geoffrey De Smet created issue -
        Hide
        Geoffrey De Smet added a comment -

        Patch attached.
        Please apply on this codebase:
        http://svn.apache.org/repos/asf/maven/enforcer/trunk/

        Show
        Geoffrey De Smet added a comment - Patch attached. Please apply on this codebase: http://svn.apache.org/repos/asf/maven/enforcer/trunk/
        Geoffrey De Smet made changes -
        Field Original Value New Value
        Attachment MENFORCER-128.patch [ 58804 ]
        Hide
        Geoffrey De Smet added a comment -

        Patch includes documentation and IT tests.

        Show
        Geoffrey De Smet added a comment - Patch includes documentation and IT tests.
        Paul Gier made changes -
        Fix Version/s 1.1 [ 17443 ]
        Assignee Paul Gier [ pgier ]
        Hide
        Geoffrey De Smet added a comment -

        To see what sort of dirt this can bring to the surface in a big project, see this issue:
        https://issues.jboss.org/browse/JBRULES-3382

        Show
        Geoffrey De Smet added a comment - To see what sort of dirt this can bring to the surface in a big project, see this issue: https://issues.jboss.org/browse/JBRULES-3382
        Hide
        Paul Gier added a comment -

        Patch applied in r1242799, thanks!

        Show
        Paul Gier added a comment - Patch applied in r1242799 , thanks!
        Paul Gier made changes -
        Status Open [ 1 ] Closed [ 6 ]
        Resolution Fixed [ 1 ]
        Hide
        Robert Scholte added a comment -

        This new rule is called IncompatibleDependencyOverwrite, but I don't think that reflects the real purpose. A lower version can still be compatible. This rule is actually checking if it is using the highest of all defined versions per dependency. IMO something like ForceHighestDependencyVersion or ForceUpperBoundDependency would be a better name. WDYT?

        Show
        Robert Scholte added a comment - This new rule is called IncompatibleDependencyOverwrite , but I don't think that reflects the real purpose. A lower version can still be compatible. This rule is actually checking if it is using the highest of all defined versions per dependency. IMO something like ForceHighestDependencyVersion or ForceUpperBoundDependency would be a better name. WDYT?
        Hide
        Paul Gier added a comment -

        I agree the goal name could be more clear. How about RequireUpperBoundDeps? Since other standard rules use "Require" instead of "Force".

        Show
        Paul Gier added a comment - I agree the goal name could be more clear. How about RequireUpperBoundDeps ? Since other standard rules use "Require" instead of "Force".
        Paul Gier made changes -
        Resolution Fixed [ 1 ]
        Status Closed [ 6 ] Reopened [ 4 ]
        Hide
        Robert Scholte added a comment -

        You have my +1 for RequireUpperBoundDeps. I noticed Deps is already used for requireReleaseDeps, so that should be fine.

        Show
        Robert Scholte added a comment - You have my +1 for RequireUpperBoundDeps . I noticed Deps is already used for requireReleaseDeps , so that should be fine.
        Hide
        Paul Gier added a comment -

        Updated goal name in r1243269 and r1243270

        Show
        Paul Gier added a comment - Updated goal name in r1243269 and r1243270
        Paul Gier made changes -
        Resolution Fixed [ 1 ]
        Status Reopened [ 4 ] Closed [ 6 ]
        Hide
        Geoffrey De Smet added a comment - - edited

        I am ok with any name change,
        but I do think that "RequireHighestDependencyVersion" is simpler and clearer then "RequireUpperBoundDependencies".
        The term "Upper bound" might not be standard knowledge for the average programmer: http://en.wikipedia.org/wiki/Upper_and_lower_bounds

        Show
        Geoffrey De Smet added a comment - - edited I am ok with any name change, but I do think that "RequireHighestDependencyVersion" is simpler and clearer then "RequireUpperBoundDependencies". The term "Upper bound" might not be standard knowledge for the average programmer: http://en.wikipedia.org/wiki/Upper_and_lower_bounds
        Hide
        Paul Gier added a comment -

        The reason I didn't go with something like RequireHighestDependencyVersion is because it sounds like it will require the highest version available in the repository. Upper bound makes more sense to me because what you are saying is that the version in the POM is the highest version that is acceptable in the dependency tree.

        Anyway, I think as long at the description in the site docs are good, users will be able to figure out what it means.

        Show
        Paul Gier added a comment - The reason I didn't go with something like RequireHighestDependencyVersion is because it sounds like it will require the highest version available in the repository. Upper bound makes more sense to me because what you are saying is that the version in the POM is the highest version that is acceptable in the dependency tree. Anyway, I think as long at the description in the site docs are good, users will be able to figure out what it means.
        Hide
        Geoffrey De Smet added a comment -

        Ok, sounds good

        Show
        Geoffrey De Smet added a comment - Ok, sounds good
        Hide
        Paul Gier added a comment -

        I added a bit more description to the site docs, just to try to make this clear.
        r1243555

        Show
        Paul Gier added a comment - I added a bit more description to the site docs, just to try to make this clear. r1243555
        Mark Thomas made changes -
        Project Import Sun Apr 05 10:06:27 UTC 2015 [ 1428228387238 ]
        Mark Thomas made changes -
        Workflow jira [ 12721266 ] Default workflow, editable Closed status [ 12761741 ]
        Mark Thomas made changes -
        Flags Patch [ 10430 ]
        Patch Submitted Yes [ 10763 ]
        Mark Thomas made changes -
        Project Import Sun Apr 05 23:50:18 UTC 2015 [ 1428277818417 ]
        Mark Thomas made changes -
        Workflow jira [ 12958739 ] Default workflow, editable Closed status [ 12995665 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Closed Closed
        1d 3h 46m 1 Paul Gier 10/Feb/12 08:53
        Closed Closed Reopened Reopened
        7h 52m 1 Paul Gier 10/Feb/12 16:46
        Reopened Reopened Closed Closed
        1d 17h 9m 1 Paul Gier 12/Feb/12 09:56

          People

          • Assignee:
            Paul Gier
            Reporter:
            Geoffrey De Smet
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development